Executive Summary
In early April 2026, the China-based cybercriminal group Storm-1175 executed a series of high-velocity attacks targeting vulnerable internet-facing systems across sectors such as healthcare, education, professional services, and finance in Australia, the United Kingdom, and the United States. By exploiting a combination of zero-day and N-day vulnerabilities, including CVE-2025-10035 in Fortra's GoAnywhere MFT and CVE-2026-23760 in SmarterMail, the group rapidly gained initial access. Post-compromise activities involved deploying web shells, creating new user accounts, and utilizing remote monitoring and management tools like SimpleHelp and MeshAgent for persistence and lateral movement. Within as little as 24 hours, Storm-1175 exfiltrated data and deployed Medusa ransomware, leading to significant operational disruptions for the affected organizations. (microsoft.com)
This incident underscores the increasing sophistication and speed of financially motivated threat actors in exploiting newly disclosed vulnerabilities. The rapid transition from initial access to ransomware deployment highlights the critical need for organizations to promptly apply security patches, monitor for unauthorized activities, and implement robust incident response strategies to mitigate such high-tempo cyber threats.
Why This Matters Now
The rapid exploitation of zero-day vulnerabilities by groups like Storm-1175 emphasizes the urgent need for organizations to enhance their vulnerability management and incident response capabilities. The ability of threat actors to move from initial access to full ransomware deployment within 24 hours poses a significant risk to operational continuity and data security.
Attack Path Analysis
Storm-1175 exploited zero-day vulnerabilities in internet-facing systems to gain initial access. They escalated privileges by creating new user accounts and deploying web shells. Utilizing tools like PowerShell and PsExec, they moved laterally across the network. Remote monitoring and management software facilitated command and control. Data was exfiltrated using tools like Rclone. Finally, Medusa ransomware was deployed to encrypt data, disrupting operations.
Kill Chain Progression
Initial Compromise
Description
Storm-1175 exploited zero-day vulnerabilities in internet-facing systems to gain initial access.
Related CVEs
CVE-2025-10035
CVSS 9.8A deserialization vulnerability in Fortra's GoAnywhere MFT allows unauthenticated remote code execution via a crafted license response signature.
Affected Products:
Fortra GoAnywhere MFT – < 7.2.0
Exploit Status:
exploited in the wildReferences:
https://nvd.nist.gov/vuln/detail/CVE-2025-10035https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/https://securityaffairs.com/183075/hacking/goanywhere-mft-zero-day-used-by-storm-1175-in-medusa-ransomware-campaigns.htmlCVE-2026-23760
CVSS 9.8An unspecified vulnerability in SmarterTools SmarterMail allows remote attackers to execute arbitrary code.
Affected Products:
SmarterTools SmarterMail – < 17.0
Exploit Status:
exploited in the wildReferences:
https://nvd.nist.gov/vuln/detail/CVE-2026-23760https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/https://www.cryptika.com/microsoft-warns-storm-1175-exploits-web-facing-assets-0-day-flaws-in-medusa-ransomware-attacks/CVE-2024-1709
CVSS 10An authentication bypass vulnerability in ConnectWise ScreenConnect allows unauthenticated access to the setup wizard, enabling admin account creation and remote code execution.
Affected Products:
ConnectWise ScreenConnect – < 22.4.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploitation for Client Execution
Obtain Capabilities: Exploits
Software Deployment Tools
Data Encrypted for Impact
Inhibit System Recovery
Impair Defenses: Disable or Modify Tools
Valid Accounts
Remote Services: SMB/Windows Admin Shares
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
High-value targets for Storm-1175's zero-day exploits and Medusa ransomware, requiring enhanced egress security, encrypted traffic monitoring, and zero trust segmentation for regulatory compliance.
Health Care / Life Sciences
Critical infrastructure vulnerable to high-velocity attacks exploiting internet-facing systems, necessitating HIPAA-compliant threat detection, anomaly response, and multicloud visibility for patient data protection.
Government Administration
Prime target for China-linked threat actors conducting rapid ransomware deployment against exposed perimeter assets, requiring comprehensive east-west traffic security and inline intrusion prevention systems.
Telecommunications
Strategic sector facing sophisticated zero-day exploitation similar to Salt Typhoon attacks, demanding secure hybrid connectivity, cloud-native security fabric, and enhanced encrypted traffic capabilities for infrastructure protection.
Sources
- China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomwarehttps://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.htmlVerified
- Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operationshttps://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/Verified
- GoAnywhere MFT zero-day used by Storm-1175 in Medusa ransomware campaignshttps://securityaffairs.com/183075/hacking/goanywhere-mft-zero-day-used-by-storm-1175-in-medusa-ransomware-campaigns.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been constrained by limiting exposure of internet-facing systems through identity-aware policies.
Control: Zero Trust Segmentation
Mitigation: The creation of unauthorized user accounts and deployment of web shells could likely be restricted by enforcing strict identity-based access controls.
Control: East-West Traffic Security
Mitigation: Lateral movement using tools like PowerShell and PsExec would likely be constrained by enforcing strict east-west traffic controls.
Control: Multicloud Visibility & Control
Mitigation: The use of remote monitoring and management software for command and control may have been limited by providing comprehensive visibility and control over multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration using tools like Rclone would likely be constrained by enforcing strict egress policies.
The deployment of Medusa ransomware to encrypt data and disrupt operations may have been limited by reducing the attacker's ability to move laterally and escalate privileges.
Impact at a Glance
Affected Business Functions
- Email Services
- File Transfer Operations
- Remote Access Management
Estimated downtime: 14 days
Estimated loss: $500,000
Sensitive corporate data, including emails and transferred files, potentially exposed.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit lateral movement and enforce least privilege access.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows.
- • Utilize Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to malicious activities promptly.
- • Regularly update and patch systems to mitigate vulnerabilities exploited by attackers.
