[ad_1]
Microsoft Threat Intelligence has identified a financially motivated cybercriminal group, tracked as Storm-1175, that is launching fast-paced ransomware attacks.
This group specifically targets web-facing systems that have known vulnerabilities, striking during the critical window between public disclosure and patch deployment.
Once Storm-1175 successfully exploits a system, they move quickly from their initial break-in to data theft and the deployment of Medusa ransomware, often within 24 hours.
Rapid Vulnerability Weaponization
The success of Storm-1175’s campaigns relies heavily on their ability to weaponize newly discovered vulnerabilities to gain access to networks.
While they typically exploit N-day vulnerabilities security flaws known but not yet patched by the victim they can also use zero-day exploits.
Post-Compromise Tactics
After gaining initial access, usually by dropping a remote access tool or creating a web shell, Storm-1175 focuses on maintaining a permanent hold on the network.
They often create new user accounts and immediately grant them administrator privileges to ensure persistent access.
From there, they explore the network using built-in system tools like PowerShell and PsExec, a practice known as “living off the land” that helps them avoid detection.
Storm-1175 relies heavily on legitimate Remote Monitoring and Management (RMM) software to control compromised environments.
They abuse tools like AnyDesk, SimpleHelp, and ConnectWise ScreenConnect to maintain secret access, create alternative communication channels, and move laterally across the network.
They also use specialized network tools, such as Impacket, to steal passwords and other administrative credentials, giving them complete control over the system.
Before launching the final stage of their attack, the group actively tampers with security software to ensure their payloads execute successfully.
They modify antivirus registry settings and set exclusion paths to prevent the system from blocking their malicious activity.
Once the security defenses are disabled, Storm-1175 uses data synchronization tools, such as Rclone, to quietly steal large amounts of sensitive data.
According to Microsoft research, they use automated software deployment tools to distribute and execute the Medusa ransomware across the entire network.
| Attack Phase | Tactics & Techniques | Tools Leveraged |
|---|---|---|
| Initial Access | Exploiting newly disclosed vulnerabilities (N-days and zero-days) on public-facing servers. Using forged license responses or deserialization flaws . | GoAnywhere MFT, Microsoft Exchange, SmarterMail, JetBrains TeamCity, ConnectWise . |
| Execution & Persistence | Dropping remote access payloads and web shells (e.g., .jsp shells) to maintain a foothold. Creating new administrator accounts . | Web shells, legitimate RMM software (AnyDesk, SimpleHelp, MeshAgent, Atera) . |
Medusa operates on a double-extortion model, meaning the attackers not only lock the victim’s files but also threaten to leak the stolen data on a public website if the ransom is not paid.
To defend against these attacks, security experts strongly recommend isolating web-facing systems from the public internet.
Organizations should also enforce the principle of least privilege, implement strict credential protection like Windows Credential Guard, and turn on tamper-proofing features.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
[ad_2]
