Full Report
Microsoft says that Storm-1175, a China-based financially motivated cybercriminal group known for deploying Medusa ransomware payloads, has been deploying n-day and zero-day exploits in high-velocity attacks. [...]
Analysis Summary
# Threat Actor: Storm-1175
## Attribution & Identity
- **Name:** Storm-1175
- **Origin:** China-based
- **Motivation:** Financially motivated cybercrime
- **Associations:** Recognized as an affiliate in the Medusa ransomware ecosystem. Also historically linked by Microsoft to operations involving Black Basta and Akira ransomware.
## Activity Summary
Storm-1175 is characterized by a "high-velocity" operational tempo, rapidly transitioning from initial access to data exfiltration and ransomware deployment—often within 24 to 72 hours. The group specializes in weaponizing n-day and zero-day vulnerabilities in internet-facing assets. Notably, they have been observed exploiting critical vulnerabilities as zero-days (up to a week before official patches are released) or within 24 hours of public disclosure.
## Tactics, Techniques & Procedures
- **Vulnerability Research & Weaponization:** Rapidly weaponizing new exploits; potentially leverages exploit brokers.
- **Exploit Chaining:** Using multiple vulnerabilities in sequence to gain access and establish persistence.
- **Persistence & Privilege Escalation:** Creating new user accounts on compromised systems.
- **Lateral Movement & Credential Theft:** Stealing credentials following initial breach.
- **Defense Evasion:** Disabling endpoint security/antivirus software before payload execution.
- **RMM Abuse:** Deploying Remote Monitoring and Management (RMM) software for persistent remote access.
- **Exfiltration-to-Ransom:** Speedy exfiltration of data followed by the deployment of Medusa ransomware.
- **MITRE ATT&CK Mapping (Inferred):**
- Exploit Public-Facing Application (T1190)
- Create Account (T1136)
- Impair Defenses: Disable or Modify Tools (T1562.001)
- Remote Services: Remote Monitoring and Management Software (T1219)
## Targeting
- **Sectors:** Healthcare, Education, Professional Services, Finance, and Critical Infrastructure.
- **Geography:** Primarily Australia, United Kingdom, and the United States.
- **Victims:** Over 300 critical infrastructure organizations (associated with broader Medusa operations).
## Tools & Infrastructure
- **Malware Families:** Medusa Ransomware, Black Basta, Akira.
- **Exploited Products & CVEs:**
- **GoAnywhere MFT:** CVE-2025-10035 (Zero-day use)
- **SmarterTools SmarterMail:** CVE-2026-23760 (Zero-day use), CVE-2025-52691
- **Microsoft Exchange:** CVE-2023-21529
- **Papercut:** CVE-2023-27351, CVE-2023-27350
- **Ivanti Connect Secure/Policy Secure:** CVE-2023-46805, CVE-2024-21887
- **ConnectWise ScreenConnect:** CVE-2024-1709, CVE-2024-1708
- **JetBrains TeamCity:** CVE-2024-27198, CVE-2024-27199
- **SimpleHelp:** CVE-2024-57726, CVE-2024-57727, CVE-2024-57728
- **CrushFTP:** CVE‑2025‑31161
- **BeyondTrust:** CVE-2026-1731
- **VMware ESXi:** Authentication-bypass flaw exploitation.
## Implications
Storm-1175 represents a significant shift in ransomware affiliate capabilities. Their ability to acquire or develop zero-day exploits and their high operational tempo reduces the "dwell time" available for defenders to detect and intercept attacks. Their focus on edge devices and web-facing management tools makes them a high-tier threat to organizations with large external attack surfaces.
## Mitigations
- **Rapid Patching:** Prioritize "Emergency" patching for all perimeter-facing assets (MFT, VPN, Mail servers) within 24 hours of release.
- **Attack Surface Management:** Regularly audit and decommission unused web-facing software or management consoles.
- **Monitor for RMM Tools:** Implement alerts for the unauthorized installation of RMM software (e.g., AnyDesk, ScreenConnect, SimpleHelp).
- **Log Analysis:** Monitor specifically for the creation of unexpected local or domain administrative accounts.
- **Endpoint Protection:** Ensure EDR tools are configured with "Tamper Protection" enabled to prevent actor-initiated disabling of security software.