Back

Storm-1175 Exploits Multiple Vulnerabilities in Medusa Ransomware Campaigns

Severity: High (Score: 72.6)

Sources: Bleepingcomputer, Blogs.Microsoft

Summary

Microsoft has linked the Storm-1175 cybercriminal group to a series of high-velocity ransomware attacks utilizing both n-day and zero-day exploits. This group has targeted vulnerabilities in various software products, including Microsoft Exchange and SmarterMail, to gain initial access, exfiltrate data, and deploy Medusa ransomware. Recent attacks have significantly impacted sectors such as healthcare, education, and finance across Australia, the UK, and the US. Storm-1175 has exploited over 16 vulnerabilities, including CVE-2025-10035 and CVE-2026-23760, often within days of their disclosure. Microsoft reported that the group has been particularly effective in chaining exploits to maintain persistence on compromised systems. The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning in March 2025 regarding the group's activities, which have affected over 300 critical infrastructure organizations in the US. The rapid exploitation of vulnerabilities before patches are available poses a serious threat to organizations worldwide. Key Points: • Storm-1175 exploits both n-day and zero-day vulnerabilities for ransomware attacks. • Recent campaigns have targeted over 16 vulnerabilities across multiple software products. • The group has significantly impacted critical infrastructure organizations in the US and other countries.

Key Entities

  • Data Breach (attack_type)
  • Ransomware (attack_type)
  • Zero-day Exploit (attack_type)
  • Australia (country)
  • United Kingdom (country)
  • United States (country)
  • CVE-2023-21529 (cve)
  • CVE-2023-27350 (cve)
  • CVE-2023-27351 (cve)
  • CVE-2023-46805 (cve)
  • CVE-2024-1708 (cve)
  • Education (company)
  • GoAnywhere MFT (company)
  • Healthcare (industry)
  • Medusa (ransomware_group)
  • Akira (ransomware_group)
  • Black Basta (ransomware_group)
  • Medusa Ransomware (ransomware_group)
  • T1021 - Remote Services (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1078 - Valid Accounts (mitre_attack)
  • T1136 - Create Account (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • BeyondTrust (tool)
  • ConnectWise ScreenConnect (tool)
  • SimpleHelp (tool)
  • Gaze.exe (tool)
  • CrushFTP (vulnerability)
  • Ivanti Connect Secure (platform)
  • JetBrains TeamCity (platform)
  • Microsoft Exchange (platform)
  • PaperCut (platform)
  • Policy Secure (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed