- Storm-1175 quickly moves from access to ransomware deployment
- Exploit zero and n days on multiple products
- It is aimed at health, financial, educational and professional services.
The Chinese-speaking hacker collective Storm-1175 is moving quickly, going from initial access to full system compromise and data exfiltration in weeks, and sometimes in less than 24 hours, experts warned.
A new report from Microsoft claims that the group was seen exploiting multiple flaws, both zero-day and n-day, in its activities. In some cases, they would even chain together multiple defects to get better results.
According to the report, Storm-1175 is not a state-sponsored actor, but rather an independent group interested in making profits. They are primarily aimed at healthcare organizations, educational companies, professional service providers and companies in the financial sector. The victims are mainly located in the United States, the United Kingdom and Australia.
Article continues below.
Dozens of vulnerabilities
The key takeaway here is the speed with which the group operates: “Following a successful exploit, Storm-1175 rapidly moves from initial access to data exfiltration and Medusa ransomware deployment, often within a few days and in some cases within 24 hours,” the researchers said. “The threat actor’s high operational tempo and ability to identify exposed perimeter assets have proven successful.”
For initial access, the group slaloms between days zero and days n. During zero days, they were seen abusing the bugs even a week before public disclosure, and during n days, they were trying to exploit them as soon as possible, giving defenders very little time to implement patches and mitigations.
To date, more than 16 exposed vulnerabilities have been identified that affect 10 products. These include Microsoft Exchange (CVE-2023-21529), Papercut (CVE-2023-27351 and CVE-2023-27350), Ivanti Connect Secure and Policy Secure (CVE-2023-46805 and CVE-2024-21887), and ConnectWise ScreenConnect (CVE-2024-1709 and CVE-2024-1708).
Other notable mentions include bugs in JetBrains TeamCity (CVE-2024-27198 and CVE-2024-27199), SimpleHelp (CVE-2024-57726, CVE-2024-57727 and CVE-2024-57728), CrushFTP (CVE-2025-31161), SmarterMail (CVE-2025-52691) and BeyondTrust (CVE-2026-1731).
After breaking in, criminals would deploy a variety of different tools to enable lateral movement, persistence, and stealth. Before deploying the Medusa ransomware variant, they would disable any installed antivirus or endpoint protection tools.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
