Ransomware Group Storm-1175 Accelerates Attack Timelines
TL;DR
The Storm-1175 threat actor, noted by Microsoft Threat Intelligence, is rapidly deploying Medusa ransomware, often within 24 hours of initial compromise. Their tactics involve leveraging newly disclosed vulnerabilities and performing aggressive exploitation of public-facing applications.
Main Analysis
Microsoft Threat Intelligence has observed the Storm-1175 group using expedited methods in ransomware operations, significantly reducing the time between initial system breach and ransomware deployment. This group targets various sectors by exploiting vulnerabilities in public-facing applications, executing multiple attack phases quickly, and utilizing tools like PowerShell and PsExec to facilitate lateral movement through networks. Once access is gained, Storm-1175 modifies security settings to weaken defenses before deploying Medusa ransomware.
The activity and speed of Storm-1175’s attacks highlight a worrying trend in ransomware tactics, where maintaining prolonged access is less common. Instead, the focus is on using new vulnerabilities almost immediately after they are disclosed. They are particularly effective in disrupting organizations where systems remain unpatched and exposed. For example, they exploit weaknesses in widely used platforms, including BeyondTrust and Microsoft Exchange, indicating a broad reach and potential for significant disruption.
The referenced attack chain image illustrates how Storm-1175 transitions from initial access to deploying ransomware, showcasing their operational efficiency. It visually breaks down the steps taken from exploiting vulnerabilities to executing commands on compromised systems, informing defenders of the critical points to monitor.
Defensive Context
Organizations with exposed and unpatched systems should be particularly vigilant, as Storm-1175 targets weaknesses in perimeter defense layers. Attacks are initiated through vulnerabilities, which, if unaddressed, can lead to rapid ransomware deployment. Entities operating systems susceptible to the mentioned CVEs should prioritize their remediation efforts to mitigate the impact of such attacks.
Why This Matters
The tactics employed by Storm-1175 pose a significant risk to organizations with vulnerable public-facing applications. Realistically, any business with outdated or improperly secured systems is at risk, particularly in sectors heavily reliant on those applications for operation.
Defender Considerations
Immediate action is advisable to address known CVEs exploited by Storm-1175. Furthermore, organizations should enhance monitoring for unusual administrative activity and restrict unnecessary remote management tools. Paying close attention to credential management and auditing new privilege account creation can also help reduce the risk of exploitation.
Indicators of Compromise (IOCs)
A detailed list of exploited vulnerabilities includes:
- CVE-2026-1731 (BeyondTrust)
- CVE-2023-21529 (Microsoft Exchange)
- CVE-2023-27350 (PaperCut)
- CVE-2024-1709 (ConnectWise ScreenConnect)
These specific vulnerabilities should inform prioritization for patching and security assessments.
