Full Report
Microsoft on Monday attributed a threat actor it tracks as Storm-1175 to the exploitation of a critical security flaw in Fortra GoAnywhere software to facilitate the deployment of Medusa ransomware. The vulnerability is CVE-2025-10035 (CVSS score: 10.0), a critical deserialization bug that could result in command injection without authentication. It was addressed in version 7.8.4, or the Sustain
Analysis Summary
# Incident Report: Storm-1175 Exploits GoAnywhere MFT for Medusa Ransomware Deployment
## Executive Summary
The threat actor Storm-1175 exploited an unauthenticated command injection vulnerability (CVE-2025-10035) in Fortra GoAnywhere Managed File Transfer (MFT) software to gain initial access to victim environments. Following exploitation, the actors deployed Remote Monitoring and Management (RMM) tools for persistence and C2, leading to system discovery, lateral movement, and eventual deployment of Medusa ransomware. Microsoft confirmed detection of exploitation starting around September 11, 2025.
## Incident Details
- **Discovery Date:** On or around October 7, 2025 (Microsoft attribution published). Earlier indications noted by WatchTowr around September 10, 2025.
- **Incident Date:** Exploitation activity detected starting around September 11, 2025.
- **Affected Organization:** Multiple organizations worldwide (specific names not disclosed).
- **Sector:** Not explicitly stated, but exploitation targets organizations using GoAnywhere MFT.
- **Geography:** Global (implied by Microsoft threat intelligence reporting).
## Timeline of Events
### Initial Access
- **Date/Time:** On or before September 11, 2025 (with indications dating to September 10, 2025).
- **Vector:** Exploitation of **CVE-2025-10035** in Fortra GoAnywhere MFT.
- **Details:** A critical deserialization bug (CVSS 10.0) allowing command injection potentially leading to Remote Code Execution (RCE) via forged license response signatures.
### Lateral Movement
- **Date/Time:** Following initial access.
- **Details:** Attackers leveraged **mstsc.exe** (Windows Remote Desktop Connection) for movement across the network after initial system discovery.
### Data Exfiltration/Impact
- **Date/Time:** Post-persistence and discovery phases.
- **Details:** The ultimate goal was the deployment of **Medusa Ransomware**. Data exfiltration observed in at least one victim environment using **Rclone**.
### Detection & Response
- **How it was discovered:** Microsoft Threat Intelligence (MSFT) observed and attributed the activity. WatchTowr had previously indicated ongoing exploitation.
- **Response actions taken:** Microsoft published analysis linking the infrastructure (Storm-1175) and technique to the GoAnywhere flaw and ransomware payload.
## Attack Methodology
- **Initial Access:** Exploitation of **CVE-2025-10035** (GoAnywhere MFT deserialization vulnerability).
- **Persistence:** Dropping Remote Monitoring and Management (RMM) tools such as **SimpleHelp** and **MeshAgent**. Creation of malicious **.jsp files** within GoAnywhere MFT directories.
- **Privilege Escalation:** Not explicitly detailed, but RCE from the initial vulnerability implies system-level control was achievable.
- **Defense Evasion:** Use of legitimate administrative tools (`mstsc.exe`) and established C2 infrastructure (Cloudflare tunnel).
- **Credential Access:** Not explicitly detailed, but typical for gaining persistence and lateral movement.
- **Discovery:** Execution of commands for user, network, and system discovery.
- **Lateral Movement:** Use of **mstsc.exe** (RDP).
- **Collection:** System/User discovery followed by data staging (implied, leading to exfiltration).
- **Exfiltration:** Observed use of **Rclone**.
- **Impact:** Deployment of **Medusa Ransomware**.
## Impact Assessment
- **Financial:** Not specified, but includes costs associated with ransomware recovery and breach remediation.
- **Data Breach:** Type of data not specified; exploitation allowed for data exfiltration prior to ransomware deployment.
- **Operational:** Significant operational disruption expected due to the deployment of Medusa Ransomware.
- **Reputational:** Negative impact due to the confirmation of a zero-day exploitation and month-long silent compromise.
## Indicators of Compromise
- **Network indicators:** Command and Control (C2) traffic utilizing **Cloudflare tunnels** associated with dropped RMMs (SimpleHelp/MeshAgent).
- **File indicators:** Dropped Remote Monitoring and Management executables (**SimpleHelp, MeshAgent**); Malicious **.jsp files** in GoAnywhere MFT directories.
- **Behavioral indicators:** Use of **mstsc.exe** for internal lateral movement after initial compromise; Use of **Rclone** for bulk data transfer/exfiltration.
## Response Actions
- **Containment:** Not explicitly detailed, but required immediate patching of GoAnywhere MFT (version 7.8.4 or Sustain Release 7.6.3+). Isolation of compromised systems.
- **Eradication:** Removal of RMM tools (SimpleHelp, MeshAgent), malicious JSP files, and any attacker-created accounts.
- **Recovery:** Full restoration of impacted systems, potentially sensitive to ransomware decryption/restoration procedures.
## Lessons Learned
- The critical nature of unauthenticated RCE vulnerabilities (CVSS 10.0) in public-facing applications like MFT solutions cannot be overstated.
- Attackers like Storm-1175 are leveraging specific software flaws for immediate deployment of high-impact payloads (Medusa Ransomware).
- There is a significant gap in immediate customer notification when critical vulnerabilities are suspected to be exploited in the wild, leading to extended silent compromise periods.
## Recommendations
- **Patch Immediately:** Apply patches for CVE-2025-10035 in GoAnywhere MFT (update to v7.8.4 or newer).
- **Audit Persistence:** Search all environments for evidence of RMM tools (SimpleHelp, MeshAgent) and suspicious `.jsp` file creation in MFT directories.
- **Monitor Outbound Traffic:** Scrutinize network traffic for unusual usage of legitimate tools like RDP (`mstsc.exe`) for discovery and C2 communications tunneling (e.g., Cloudflare indicators).
- **Zero Trust Segmentation:** Implement strong network segmentation to limit the effectiveness of lateral movement techniques like RDP post-initial compromise.