Microsoft Warns Storm‑1175 Targets Web Systems With Medusa Ransomware

Microsoft recently issued a serious warning about a financially motivated cybercriminal group known as Storm-1175. This dangerous hacking group targets vulnerable web servers across the globe. It uses high-speed tactics to deploy the destructive Medusa ransomware. 

Microsoft explained that the group usually attacks systems right after a new software flaw is discovered. This rapid action traps organizations before any critical software patches get applied.

Hackers are exploiting vulnerabilities for quick initial access

The hacking group moves incredibly fast to weaponize recently disclosed security flaws. It specifically targets exposed web applications. Security teams observed the group exploiting over 16 different vulnerabilities since last year. It attacks servers during the short window between public disclosure and widespread patch adoption.

In some extreme cases, the threat actors struck within a single day of a flaw becoming public. The attackers even use zero-day exploits to break into systems. This shows an advanced capability to find fresh targets. After finding a weak spot, the group quickly establishes a foothold. It often drops a remote access payload or creates a hidden web shell. 

This allows the hackers to securely enter the targeted network. Recent intrusions heavily impacted the healthcare sector. The group also targets education and finance organizations in the United States and the United Kingdom.

They are stealing data and deploying the final payload

Once inside the network, Storm-1175 moves rapidly toward its ultimate goal. It frequently creates a new user account with full administrator privileges. The group then uses legitimate remote monitoring software to move laterally across different computers. It often disables local security tools like antivirus programs to avoid detection. The attackers then steal sensitive documents and private information using a synchronization tool called Rclone. This stolen data is likely to be used for extortion later.

Finally, the group deploys the Medusa ransomware across the compromised environment. This final step locks users out of their critical files. Protecting administrative accounts helps stop the group from spreading. Monitoring remote access tools is also a crucial security step. Microsoft noted that the entire attack chain can unfold in just a few days.

Sometimes, the attackers complete their mission in under 24 hours. The software maker urges all network defenders to patch web systems quickly.