- Storm-1175 quickly moves from access to ransomware deployment
- Exploits zero days and n days on several products
- Targets healthcare, finance, education and professional services
Chinese hacker collective Storm-1175 scales quickly, going from initial access to complete system compromise and data exfiltration within weeks, and sometimes in less than 24 hours, experts have warned.
A new report from Microsoft claims that the group exploited several vulnerabilities, both zero-day and n-day, in its activities. In some cases, they would even chain together various flaws for better results.
According to the report, Storm-1175 is not a state-sponsored actor, but rather an autonomous group interested in profit. They mainly target healthcare establishments, educational establishments, professional service providers and companies in the financial sector. Victims are mainly located in the United States, United Kingdom and Australia.
Article continues below
Dozens of vulnerabilities
The key takeaway here is how quickly the group operates: “After successful exploitation, Storm-1175 quickly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within days and, in some cases, within 24 hours,” the researchers said. “The threat actor’s high operational tempo and ability to identify exposed perimeter assets proved effective. »
For a first access, the slalom group between zero days and n days. During zero days, they were seen abusing bugs even a week before their public disclosure, and during n days, they would try to exploit them as soon as possible, leaving very little time for defenders to deploy patches and mitigations.
So far, more than 16 vulnerabilities have been identified as exposed, affecting 10 products. These include Microsoft Exchange (CVE-2023-21529), Papercut (CVE-2023-27351 and CVE-2023-27350), Ivanti Connect Secure and Policy Secure (CVE-2023-46805 and CVE-2024-21887), and ConnectWise ScreenConnect (CVE-2024-1709 and CVE-2024-1708).
Other notable mentions include bugs in JetBrains TeamCity (CVE-2024-27198 and CVE-2024-27199), SimpleHelp (CVE-2024-57726, CVE-2024-57727 and CVE-2024-57728), CrushFTP (CVE-2025-31161), SmarterMail. (CVE-2025-52691) and BeyondTrust (CVE-2026-1731).
After intrusion, the crooks deployed a myriad of different tools to enable lateral movement, persistence, and stealth. Before deploying the Medusa ransomware variant, they would disable any installed antivirus or endpoint protection tools.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.