- Storm-1175 is moving quickly from access to ransomware deployment
- Leverages zero-days and n-days across multiple products
- Targeted healthcare, finance, education and professional services
The Chinese-speaking hacker collective Storm-1175 moves quickly, going from initial access to full system compromise and data exfiltration in weeks, and sometimes in less than 24 hours, experts have warned.
A new report from Microsoft claims that the group was seen exploiting multiple flaws, both zero-day and n-day, in their operations. In some cases, they would even chain different bugs together for better results.
According to the report, Storm-1175 is not a state-sponsored actor, but rather an independent group interested in profit. They are primarily aimed at healthcare organisations, educational companies, professional service providers and companies in the financial sector. The victims are mostly located in the US, UK and Australia.
The article continues below
Dozens of vulnerabilities
Most important here is the speed with which the group operates: “After successful exploitation, Storm-1175 moves quickly from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and in some cases within 24 hours,” the researchers said. “The threat actor’s high operational tempo and skill in identifying exposed perimeter assets has proven successful.”
For initial access, the group slaloms between zero-days and n-days. In zero-days, they were seen exploiting bugs even a week before public disclosure, and in n-days they would try to exploit it as quickly as possible – giving defenders very little time to deploy patches and remedies.
So far, more than 16 vulnerabilities have been identified as being disclosed, affecting 10 products. These include Microsoft Exchange (CVE-2023-21529), Papercut (CVE-2023-27351 and CVE-2023-27350), Ivanti Connect Secure and Policy Secure (CVE-2023-46805 and CVE-2024-21887) and ConnectWise Screen-702 and ConnectWise Screen-702 and CVE-2024-1708).
Other notable mentions include bugs in JetBrain’s TeamCity (CVE-2024-27198 and CVE-2024-27199), SimpleHelp (CVE-2024-57726, CVE-2024-57727 and CVE-2024-57728), Crush-57728, Crush-6FT1), SmarterMail (CVE-2025-52691) and BeyondTrust (CVE-2026-1731).
After breaking in, the bad guys would deploy a myriad of different tools to enable lateral movement, persistence and stealth. Before deploying the Medusa ransomware variant, they disable any installed antivirus or endpoint protection tools.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
