Back

Storm-1175 Ransomware Gang Exploits Vulnerabilities for Rapid Attacks

Severity: High (Score: 69.9)

Sources: Blogs.Microsoft, Csoonline, Gbhackers, Bleepingcomputer, Infosecurity-Magazine

Summary

Microsoft has identified the cybercriminal group Storm-1175, known for deploying Medusa ransomware, as aggressively exploiting vulnerabilities in internet-facing systems. This financially motivated group is capable of executing attacks within 24 hours of gaining access, utilizing both N-day and zero-day vulnerabilities. Recent campaigns have targeted critical sectors, including healthcare and finance, across the United States, Australia, and the United Kingdom. Storm-1175 has exploited over 16 vulnerabilities in various software products, including Microsoft Exchange and SmarterMail. Notably, they have used CVE-2025-10035 and CVE-2026-23760 in their operations. CISA has previously issued advisories regarding the impact of these attacks on critical infrastructure organizations. The group's rapid operational tempo and ability to chain exploits pose a significant risk to affected organizations. Key Points: • Storm-1175 exploits vulnerabilities in internet-facing systems to deploy Medusa ransomware. • Attacks can occur within 24 hours of initial access, targeting critical sectors. • Over 16 vulnerabilities have been exploited, including CVE-2025-10035 and CVE-2026-23760.

Key Entities

  • Data Breach (attack_type)
  • Ransomware (attack_type)
  • Zero-day Exploit (attack_type)
  • Australia (country)
  • United Kingdom (country)
  • United States (country)
  • CVE-2023-21529 (cve)
  • CVE-2023-27350 (cve)
  • CVE-2023-27351 (cve)
  • CVE-2023-46805 (cve)
  • CVE-2024-1708 (cve)
  • Education (company)
  • GoAnywhere MFT (company)
  • Healthcare (industry)
  • Professional Services (industry)
  • Medusa (ransomware_group)
  • Akira (ransomware_group)
  • Black Basta (ransomware_group)
  • Medusa Ransomware (ransomware_group)
  • T1021 - Remote Services (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1078 - Valid Accounts (mitre_attack)
  • T1136 - Create Account (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • BeyondTrust (tool)
  • ConnectWise ScreenConnect (tool)
  • SimpleHelp (tool)
  • Gaze.exe (tool)
  • CrushFTP (vulnerability)
  • Exchange (platform)
  • Ivanti Connect Secure (platform)
  • JetBrains TeamCity (platform)
  • Microsoft Exchange (platform)
  • PaperCut (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed