Storm-1175: Rapid Ransomware Deployment via Zero-Day and N-Day Exploits
A Chinese-speaking cybercriminal group, Storm-1175, is accelerating its attacks, moving from initial access to full system compromise including Medusa ransomware deployment in as little as 24 hours, according to a new Microsoft report. Unlike state-sponsored actors, the group operates for financial gain, targeting healthcare, finance, education, and professional services sectors, primarily in the U.S., U.K., and Australia.
Storm-1175 exploits a mix of zero-day and n-day vulnerabilities, often chaining flaws for maximum impact. The group has been observed abusing zero-days before public disclosure and rapidly weaponizing n-days leaving defenders minimal time to patch. Over 16 vulnerabilities across 10 products have been leveraged, including critical flaws in:
- Microsoft Exchange (CVE-2023-21529)
- PaperCut (CVE-2023-27351, CVE-2023-27350)
- Ivanti Connect Secure/Policy Secure (CVE-2023-46805, CVE-2024-21887)
- ConnectWise ScreenConnect (CVE-2024-1709, CVE-2024-1708)
- JetBrains TeamCity, SimpleHelp, CrushFTP, SmarterMail, and BeyondTrust
After gaining access, the group disables antivirus and endpoint protection, deploys tools for lateral movement and persistence, and exfiltrates data before encrypting systems with Medusa ransomware. Their high operational tempo and ability to identify exposed assets have made their attacks particularly effective.
Ivanti TPRM report: https://www.rankiteo.com/company/ivanti
PaperCut TPRM report: https://www.rankiteo.com/company/papercut-software
ConnectWise TPRM report: https://www.rankiteo.com/company/connectwise
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-threat-intelligence
"id": "conmicpapiva1775607925",
"linkid": "connectwise, microsoft-threat-intelligence, papercut-software, ivanti",
"type": "Vulnerability",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Healthcare',
'Finance',
'Education',
'Professional Services'],
'location': ['U.S.', 'U.K.', 'Australia'],
'type': ['Healthcare',
'Finance',
'Education',
'Professional Services']}],
'attack_vector': ['Zero-day exploits', 'N-day exploits'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'description': 'A Chinese-speaking cybercriminal group, Storm-1175, is '
'accelerating its attacks, moving from initial access to full '
'system compromise including Medusa ransomware deployment in '
'as little as 24 hours. The group operates for financial gain, '
'targeting healthcare, finance, education, and professional '
'services sectors, primarily in the U.S., U.K., and Australia. '
'Storm-1175 exploits a mix of zero-day and n-day '
'vulnerabilities, often chaining flaws for maximum impact, and '
'has leveraged over 16 vulnerabilities across 10 products.',
'impact': {'data_compromised': True,
'operational_impact': 'Full system compromise, data exfiltration, '
'and encryption with Medusa ransomware',
'systems_affected': True},
'motivation': 'Financial gain',
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Medusa'},
'references': [{'source': 'Microsoft report'}],
'threat_actor': 'Storm-1175',
'title': 'Storm-1175: Rapid Ransomware Deployment via Zero-Day and N-Day '
'Exploits',
'type': 'Ransomware',
'vulnerability_exploited': ['CVE-2023-21529 (Microsoft Exchange)',
'CVE-2023-27351 (PaperCut)',
'CVE-2023-27350 (PaperCut)',
'CVE-2023-46805 (Ivanti Connect Secure/Policy '
'Secure)',
'CVE-2024-21887 (Ivanti Connect Secure/Policy '
'Secure)',
'CVE-2024-1709 (ConnectWise ScreenConnect)',
'CVE-2024-1708 (ConnectWise ScreenConnect)',
'JetBrains TeamCity',
'SimpleHelp',
'CrushFTP',
'SmarterMail',
'BeyondTrust']}