Cybersecurity Alert: The Rise of Storm-1175 and Medusa Ransomware Attacks

In a significant revelation, Microsoft has issued a warning regarding the intensification of ransomware activities perpetrated by a prolific cybercrime group known as Storm-1175. This group has been systematically exploiting n-day and zero-day vulnerabilities in a series of high-tempo Medusa ransomware attacks over the past three years. The blog post published by Microsoft on April 6 details the operational methodologies and targets of this financially motivated entity, shedding light on its aggressive tactics.

Storm-1175 has been characterized by its ability to exploit the critical window between the disclosure of vulnerabilities and the deployment of patches. Microsoft’s analysis offers a glimpse into the alarming effectiveness of this group, noting a particular focus on high-impact sectors such as healthcare, education, professional services, and finance. Notably, the group has executed successful intrusions in multiple countries, including Australia, the United Kingdom, and the United States.

Since the beginning of 2023, Storm-1175 has strategically compromised at least 16 vulnerabilities, among which are three zero-day the organization has exploited. One particularly concerning instance involved the CVE-2025-10035 flaw within the GoAnywhere Managed File Transfer solution. This vulnerability was exploited merely a week before it was publicly disclosed last year, highlighting the urgency and hidden dangers posed by impending threats in the cyber landscape.

Microsoft outlines several typical tactics, techniques, and procedures (TTPs) employed by Storm-1175 that contribute to the group’s operational success:

1. Initial Foothold Creation: The group often begins their intrusion by deploying web shells or dropping remote access payloads. This allows them to transition rapidly from initial access to ransomware deployment, typically within one to six days.

2. Persistence Establishment: Storm-1175 secures its foothold by creating new user accounts and placing these within the administrator’s group to ensure continued access.

3. Strategic Reconnaissance and Lateral Movement: The group utilizes various tools for reconnaissance and lateral movement, including living-off-the-land binaries (LOLBins) like PowerShell and PsExec. Furthermore, they establish Cloudflare tunnels to facilitate lateral movement through Remote Desktop Protocol (RDP), enabling the delivery of malicious payloads across devices.

4. Post-Compromise Activities: Once a system is compromised, Storm-1175 employs multiple remote monitoring and management (RMM) tools. These enable the creation of new user accounts, the enabling of alternative command-and-control (C2) methods, the delivery of additional payloads, and the maintenance of interactive remote desktop sessions.

5. Utilization of Legitimate Software: The group sometimes leverages legitimate software deployment tools like PDQ Deployer for the covert installation of applications aimed at lateral movement.

6. Credential Management: Tools like Impacket are occasionally used for lateral movement and credential dumping, which is indicative of their sophisticated approach toward gaining continuous access.

7. Antivirus Evasion: There have been instances where Storm-1175 modifies settings in Microsoft Defender Antivirus to prevent it from blocking ransomware payloads, showcasing a high level of cunning in their strategies.

Mitigating the Threat Posed by Storm-1175

The severity of the threat presented by Storm-1175 has prompted Microsoft to outline several recommendations to bolster defenses against such attacks. For organizations vulnerable to similar intrusions, the tech giant advises the immediate implementation of perimeter scanning tools to assess the breadth of their attack surfaces.

One of the primary recommendations is the isolation of web-facing systems from the public internet, maintaining a guarded network boundary that only allows access through secure channels such as virtual private networks (VPNs). When necessary, these systems should be further protected by a web application firewall (WAF), a reverse proxy, or a perimeter network, commonly referred to as a demilitarized zone (DMZ).

To fortify defenses, Microsoft further advises organizations to focus on:

• Credential Hygiene Best Practices: Following guidance issued on credential management, organizations should limit lateral movement of threat actors.
• Implementation of Security Features: Deploying tools like Credential Guard can secure credentials stored in memory, while enabling tamper protection helps prevent attackers from disabling security measures.
• Rigorous RMM Practices: It is advisable to eliminate unapproved RMM installations while ensuring that Multi-Factor Authentication (MFA) is applied to approved tools.
• Configuration of Extended Detection and Response (XDR): Properly configuring XDR tools can help prevent common attack techniques frequently utilized in ransomware incidents.

As the cybersecurity landscape continues to evolve, the emergence of sophisticated groups like Storm-1175 exemplifies the critical need for organizations to remain vigilant and proactive in defending against ever-present threats.

Source link