Storm-1175's Rapid Exploitation of Zero-Day Vulnerabilities in Medusa Ransomware Attacks
Executive Summary
In April 2026, Microsoft identified Storm-1175, a China-based cybercriminal group, exploiting zero-day vulnerabilities to deploy Medusa ransomware. The group rapidly transitioned from initial access to data exfiltration and ransomware deployment, often within 24 hours. They targeted sectors including healthcare, education, professional services, and finance across the U.S., U.K., and Australia. Storm-1175 utilized tools like PowerShell, PsExec, and remote monitoring software to establish persistence, conduct reconnaissance, and move laterally within networks. (bleepingcomputer.com)
This incident underscores the increasing sophistication and speed of ransomware attacks, highlighting the critical need for organizations to promptly patch vulnerabilities and enhance their cybersecurity defenses to mitigate such rapidly evolving threats.
Why This Matters Now
The rapid exploitation of zero-day vulnerabilities by groups like Storm-1175 emphasizes the urgent need for organizations to implement proactive security measures and timely patch management to defend against increasingly sophisticated ransomware attacks.
Attack Path Analysis
Storm-1175 exploited zero-day vulnerabilities in web-facing assets to gain initial access, escalated privileges by creating new user accounts and deploying remote monitoring tools, moved laterally by stealing credentials and disabling security software, established command and control channels using tools like Rclone for data exfiltration, exfiltrated sensitive data to attacker-controlled servers, and finally deployed Medusa ransomware to encrypt systems and demand ransom payments.
Kill Chain Progression
Initial Compromise
Description
Storm-1175 exploited zero-day vulnerabilities in web-facing assets to gain initial access to target networks.
Related CVEs
CVE-2025-10035
CVSS 9.8A deserialization vulnerability in Fortra's GoAnywhere MFT allows remote code execution via the License Servlet component.
Affected Products:
Fortra GoAnywhere MFT – <= 7.8.3
Exploit Status:
exploited in the wildReferences:
https://nvd.nist.gov/vuln/detail/CVE-2025-10035https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/https://www.bleepingcomputer.com/news/security/microsoft-links-medusa-ransomware-affiliate-to-zero-day-attacks/CVE-2026-23760
CVSS 9.8An authentication bypass vulnerability in SmarterTools' SmarterMail allows unauthorized access to administrative functions.
Affected Products:
SmarterTools SmarterMail – < 17.0.0
Exploit Status:
exploited in the wildReferences:
https://nvd.nist.gov/vuln/detail/CVE-2026-23760https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/https://www.bleepingcomputer.com/news/security/microsoft-links-medusa-ransomware-affiliate-to-zero-day-attacks/
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
LSASS Memory
Process Injection
Develop Capabilities
Acquire Access
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.3
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.7
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
NYDFS 23 NYCRR 500 – Training and Monitoring
Control ID: 500.14
NYDFS 23 NYCRR 500 – Incident Response Plan
Control ID: 500.16
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Healthcare organizations heavily impacted by Storm-1175's high-velocity Medusa ransomware attacks exploiting web-facing vulnerabilities, requiring enhanced egress security and zero-trust segmentation.
Higher Education/Acadamia
Education sector targeted by rapid zero-day exploitation campaigns, necessitating stronger threat detection capabilities and multicloud visibility to prevent data exfiltration within 24-hour attack windows.
Financial Services
Financial institutions face critical risk from Storm-1175's exploitation of 16+ vulnerabilities across communication platforms, demanding comprehensive encrypted traffic monitoring and anomaly response systems.
Computer Software/Engineering
Software organizations vulnerable to attacks on development tools like JetBrains TeamCity and remote access platforms, requiring Kubernetes security and inline intrusion prevention capabilities.
Sources
- Microsoft links Medusa ransomware affiliate to zero-day attackshttps://www.bleepingcomputer.com/news/security/microsoft-links-medusa-ransomware-affiliate-to-zero-day-attacks/Verified
- Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operationshttps://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/Verified
- Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerabilityhttps://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been limited by reducing the exposure of web-facing assets through enforced segmentation and controlled access policies.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been constrained by enforcing strict identity-aware access controls and segmenting user roles.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may have been restricted by monitoring and controlling east-west traffic, thereby reducing unauthorized internal access.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels could have been hindered by providing comprehensive visibility and control over multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been limited by enforcing strict egress policies and monitoring outbound traffic.
The deployment of ransomware could have been constrained by limiting the attacker's ability to move laterally and access critical systems.
Impact at a Glance
Affected Business Functions
- Data Transfer Operations
- Email Communications
- Network Security
Estimated downtime: 14 days
Estimated loss: $500,000
Sensitive corporate data and client information
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of ransomware within the network.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Enforce Multi-Factor Authentication (MFA) across all user accounts to mitigate the risk of credential theft and unauthorized access.
- • Regularly update and patch all systems and applications to protect against exploitation of known vulnerabilities.
