Back

Storm-1175 Intensifies Ransomware Attacks Using N-day and Zero-day Exploits

Severity: High (Score: 69.9)

Sources: Bleepingcomputer, Securityaffairs.Co, Gbhackers, Technadu, Blogs.Microsoft

Summary

Microsoft has reported that the cybercrime group Storm-1175 is executing rapid ransomware operations by exploiting vulnerabilities in internet-facing systems. The group, linked to Medusa ransomware, has been observed moving from initial access to data exfiltration and ransomware deployment within 24 hours. Storm-1175 has targeted critical sectors including healthcare, education, professional services, and finance across Australia, the U.K., and the U.S. Since 2023, the group has exploited over 16 vulnerabilities, including both N-day and zero-day flaws. Notably, they have used zero-day exploits a week before public disclosure, demonstrating a high operational tempo. The group employs techniques such as credential theft and tampering with security solutions to maintain persistence and facilitate lateral movement within networks. Microsoft emphasizes that organizations need to enhance their attack surface management to mitigate these threats effectively. Key Points: • Storm-1175 exploits N-day and zero-day vulnerabilities, often within 24 hours of disclosure. • The group has targeted critical sectors, impacting healthcare, education, and finance organizations. • Microsoft observed Storm-1175 using over 16 vulnerabilities, including CVE-2025-10035 and CVE-2026-23760.

Key Entities

  • Data Breach (attack_type)
  • Ransomware (attack_type)
  • Zero-day Exploit (attack_type)
  • Australia (country)
  • China (country)
  • United Kingdom (country)
  • United States (country)
  • CVE-2023-21529 (cve)
  • CVE-2023-27350 (cve)
  • CVE-2023-27351 (cve)
  • CVE-2023-46805 (cve)
  • CVE-2024-1708 (cve)
  • Education (company)
  • GoAnywhere MFT (company)
  • Healthcare (industry)
  • Professional Services (industry)
  • Medusa (ransomware_group)
  • Akira (ransomware_group)
  • Black Basta (ransomware_group)
  • Medusa Ransomware (ransomware_group)
  • T1021 - Remote Services (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1078 - Valid Accounts (mitre_attack)
  • T1136 - Create Account (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • BeyondTrust (tool)
  • ConnectWise ScreenConnect (tool)
  • SimpleHelp (tool)
  • Gaze.exe (tool)
  • CrushFTP (vulnerability)
  • Exchange (platform)
  • Ivanti Connect Secure (platform)
  • JetBrains TeamCity (platform)
  • Microsoft Exchange (platform)
  • PaperCut (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed