Storm-1175 is a financially motivated cybercriminal actor tracked by Microsoft Threat Intelligence. This actor is characterized by a high operational tempo, specializing in the rapid weaponization of newly disclosed vulnerabilities (N-days) and occasionally zero-days to deploy Medusa ransomware.
Severity: High
Targeting
- Sectors: Healthcare, Education, Professional Services, Finance
- Regions: Australia, United Kingdom, United States
- Assets: Vulnerable internet-facing systems (Ivanti, Exchange, TeamCity, CrushFTP, SAP, SimpleHelp, BeyondTrust…)
Attack Chain
| Phase | Tactics & Tools Used |
| Initial Access | Exploitation of vulnerable web-facing assets. Weaponizes N-day vulnerabilities often within 24 hours of disclosure (e.g., SAP NetWeaver CVE-2025-31324). |
| Persistence | Creation of new user accounts in the administrators group ; deployment of web shells or Remote Monitoring and Management (RMM) tools. |
| Lateral Movement | Use of Cloudflare tunnels (disguised as conhost.exe) for RDP sessions ; leveraging Impacket, PsExec, and PDQ Deployer. |
| Credential Access | LSASS dumping via Task Manager or Mimikatz ; modifying registry keys (e.g., UseLogonCredential) ; stealing credentials from Veeam backup software. |
| Defense Evasion | Modifying registry settings to tamper with Microsoft Defender Antivirus ; using PowerShell to add “C:” drive exclusions ; deleting created accounts to scrub logs. |
| Exfiltration | Data collection using Bandizip and exfiltration via Rclone to attacker-owned cloud resources. |
| Impact | Deployment of Medusa ransomware via PDQ Deployer scripts (RunFileCopy.cmd) or Group Policy updates. |
Notable Exploited Vulnerabilities
Microsoft has observed the exploitation of over 16 vulnerabilities since 2023. High-profile examples include:
- N-Day: CVE-2024-1709 (ConnectWise ScreenConnect), CVE-2023-21529 (Microsoft Exchange), and CVE-2025-31161 (CrushFTP).
- Zero-Day: CVE-2026-23760 (SmarterMail) and CVE-2025-10035 (GoAnywhere MFT), both exploited a week prior to public disclosure.
- Chained Exploits: Exploiting CVE-2022-41080 and CVE-2022-41082 (OWASSRF) to achieve remote code execution.
Recommendations
- Patch internet-facing systems immediately. Treat patch lag on perimeter assets as an active breach risk.
- Enable tamper protection. Use the DisableLocalAdminMerge setting to prevent local admins from overriding global antivirus exclusion lists.
- Enable Credential Guard on all domain-joined Windows endpoints.
- Block LSASS credential stealing and PSExec/WMI process creation via ASR rules.
- Maintain an approved RMM allowlist, enforce MFA on all approved tools, and treat any unrecognized RMM installation as a compromise indicator.
- Monitor and alert on new local admin account creation.
- Webshell creation is Storm-1175’s most common initial persistence mechanism after exploitation. The “Block Webshell creation for Servers” ASR rule directly addresses this. Combine with file integrity monitoring on web-accessible directories.
- Backup servers should have no direct connectivity to production endpoints and credentials should not be reused.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/9924605cf31bd8cb99039fad37a1a4b795f764bdeeab7137f08d0e41ab59232f/iocs
IOCs
| SHA-256: | 0cefeb6210b7103fd32b996beff518c9b6e1691a97bb1cda7f5fb57905c4be96 |
| SHA-256: | 9632d7e4a87ec12fdd05ed3532f7564526016b78972b2cd49a610354d672523c |
| SHA-256: | e57ba1a4e323094ca9d747bfb3304bd12f3ea3be5e2ee785a3e656c3ab1e8086 |
| SHA-256: | 5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19 |
| IP: | 185.135.86[.]149 |
| IP: | 134.195.91[.]224 |
| IP: | 85.155.186[.]121 |
Source:
- https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.