Full Report
New findings from Microsoft show that the threat actor Storm-1175 is intensifying high-tempo ransomware operations by aggressively targeting... The post Storm-1175 exploits web-facing systems to drive ransomware attacks across healthcare and services in US, UK, Australia appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Storm-1175
## Attribution & Identity
**Storm-1175** is a financially motivated threat actor identified by Microsoft. It is a prolific ransomware operator characterized by its high operational tempo and proficiency in exploiting internet-facing assets. The group is primarily associated with the deployment of **Medusa ransomware**.
## Activity Summary
Storm-1175 specializes in "high-velocity" ransomware campaigns that exploit the window between the disclosure of a vulnerability and the adoption of a patch. Since 2023, the group has intensified its operations, often moving from initial access to full ransomware deployment within 24 to 72 hours (sometimes as fast as 24 hours). Recent campaigns have focused on aggressively weaponizing N-day and Zero-day vulnerabilities in web-facing enterprise applications to gain unauthenticated access.
## Tactics, Techniques & Procedures
- **Vulnerability Research:** Rapid weaponization of N-day flaws; capability to leverage Zero-day exploits (sometimes a week before public disclosure).
- **Initial Access:** Exploitation of public-facing applications and chaining multiple exploits.
- **Persistence:** Creation of new user accounts and deployment of remote monitoring and management (RMM) software.
- **Lateral Movement:** Utilizing legitimate administrative tools and RMM software to move across the network stealthily.
- **Impact:** Tampering with security solutions, credential theft, and exfiltrating data before launching ransomware payloads.
- **Cross-Platform Targeting:** Extensive focus on Windows environments with expanding capabilities to target Linux systems (e.g., Oracle WebLogic).
**MITRE ATT&CK IDs:**
- Access via Exploit Public-Facing Application [T1190]
- Create Account [T1136]
- Impair Defenses: Disable or Modify Tools [T1562.001]
- Exfiltration Over C2 Channel [T1041]
- Data Encrypted for Impact [T1486]
## Targeting
- **Sectors:** Healthcare (primary focus), Education, Professional Services, Finance, and Critical Infrastructure.
- **Geography:** United States, United Kingdom, and Australia.
- **Victims:** Over 300 organizations across critical infrastructure sectors (associated with broader Medusa activity).
## Tools & Infrastructure
- **Malware:** Medusa Ransomware.
- **Vulnerable Platforms Targeted:**
- Microsoft Exchange
- Ivanti Connect Secure / Policy Secure
- ConnectWise ScreenConnect
- Papercut
- JetBrains TeamCity
- CrushFTP, GoAnywhere MFT
- Oracle WebLogic (Linux)
- BeyondTrust, SimpleHelp, SmarterMail
- **Infrastructure:** Use of Remote Monitoring and Management (RMM) tools for command and control and persistence.
## Implications
Storm-1175 represents a high-tier threat due to its extreme speed. By weaponizing vulnerabilities days before or immediately after disclosure, they render traditional patch cycles ineffective. Their focus on healthcare and services suggests a strategy of targeting time-sensitive, high-impact environments to maximize the likelihood of a ransom payment.
## Mitigations
- **Prioritize External Attack Surface Management (EASM):** Identify and shield all internet-facing assets, specifically enterprise applications like Exchange and VPN gateways.
- **Rapid Patching:** Implement an emergency patching protocol for vulnerabilities in web-facing systems, as the group exploits these within 24 hours of disclosure.
- **Endpoint Protection:** Use EDR/XDR solutions to monitor for the unauthorized installation of RMM tools and the creation of unexpected local administrative accounts.
- **Log Monitoring:** Audit logs for exploitation attempts reaching web-facing services and monitor for "living-off-the-land" techniques during the lateral movement phase.