Overview
- Microsoft attributed a financially motivated group it tracks as Storm-1175 to high-speed intrusions that use both newly disclosed flaws and unknown zero-days to break into internet-facing systems and launch Medusa ransomware.
- Investigators said the crew exploited CVE-2026-23760 in SmarterMail and CVE-2025-10035 in GoAnywhere MFT as zero-days, in some cases before patches or public details were available.
- After initial access, operators chain multiple exploits, create new admin accounts, drop web shells, and lean on remote management tools to blend in, then steal data and trigger encryption within a few days or as fast as 24 hours.
- Tools observed include PDQ Deployer for lateral movement and payload delivery, PowerShell and PsExec as living-off-the-land utilities, Impacket and Mimikatz for credential theft, Windows Defender exclusions and firewall changes to weaken defenses, and Bandizip with Rclone for data theft.
- Microsoft reported recent intrusions hitting healthcare, education, professional services, and finance in the US, UK, and Australia, and it linked the group to more than 16 exploited CVEs since 2023 across products like Exchange, Papercut, Ivanti, ConnectWise ScreenConnect, TeamCity, SimpleHelp, CrushFTP, SmarterMail, and BeyondTrust, underscoring the risk during the gap between disclosure and broad patching.