Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations
Storm-1175 is a financially motivated threat actor that rapidly exploits N-day and zero-day vulnerabilities in web-facing assets to deploy Medusa ransomware. The group utilizes a high-tempo attack chain, leveraging LOLBins, RMM tools, and credential theft to move laterally and exfiltrate data before executing ransomware, often completing the entire attack lifecycle within days.
Authors: Microsoft Threat Intelligence
Source:
Microsoft
- filenameC:\Program Files (x86)\SmarterTools\SmarterMail\Service\wwwroot\result.txtOutput file used during firewall modification to enable Remote Desktop.
- registry_keyUseLogonCredentialRegistry entry modified by the attacker to turn on WDigest credential caching for credential theft.
Key Takeaways
- Storm-1175 operates high-velocity ransomware campaigns, moving from initial access to Medusa ransomware deployment in as little as 24 hours.
- The actor heavily relies on exploiting recently disclosed N-day and occasionally 0-day vulnerabilities in web-facing assets.
- Post-compromise activity involves creating local admin accounts, using LOLBins, and deploying various RMM tools and Cloudflare tunnels for lateral movement.
- Defense evasion techniques include modifying registry settings to disable Microsoft Defender and adding the C:\ drive to exclusion paths.
- Data exfiltration is conducted using Bandizip and Rclone, followed by ransomware deployment via PDQ Deployer or Group Policy.
Affected Systems
- Microsoft Exchange
- Papercut
- Ivanti Connect Secure and Policy Secure
- ConnectWise ScreenConnect
- JetBrains TeamCity
- SimpleHelp
- CrushFTP
- GoAnywhere MFT
- SmarterMail
- BeyondTrust
- Oracle WebLogic
- ManageEngine
- Qlik
- Mirth Connect
- Apache
- Fortinet FortiClient
- WhatsUp Gold
- SAP NetWeaver
- Windows endpoints
- Linux systems
Vulnerabilities (CVEs)
- CVE-2023-21529
- CVE-2023-27351
- CVE-2023-27350
- CVE-2023-46805
- CVE-2024-21887
- CVE-2024-1709
- CVE-2024-1708
- CVE-2024-27198
- CVE-2024-27199
- CVE-2024-57726
- CVE-2024-57727
- CVE-2024-57728
- CVE-2025-31161
- CVE-2025-10035
- CVE-2025-52691
- CVE-2026-23760
- CVE-2026-1731
- CVE-2025-31324
- CVE-2022-41080
- CVE-2022-41082
- CVE-2023-34197
- CVE-2023-41266
- CVE-2023-43208
- CVE-2023-46604
- CVE-2023-48788
- CVE-2024-6670
- CVE-2024-12356
Attack Chain
Storm-1175 gains initial access by exploiting N-day or zero-day vulnerabilities in web-facing applications, dropping a web shell or remote access payload. They establish persistence by creating local administrator accounts and use LOLBins, Cloudflare tunnels, and RMM tools for lateral movement. The actor steals credentials via LSASS dumping or NTDS.dit extraction, disables Microsoft Defender via registry and PowerShell modifications, and exfiltrates data using Bandizip and Rclone. Finally, Medusa ransomware is deployed across the network using PDQ Deployer or Group Policy.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Microsoft Defender for Endpoint, Microsoft Defender Antivirus
Microsoft provides a list of behavioral and signature-based detections available in Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
Detection Engineering Assessment
EDR Visibility: High — The attack relies heavily on process execution (LOLBins, RMM tools), registry modifications (Defender tampering, WDigest), and local account creation, all of which are highly visible to modern EDRs. Network Visibility: Medium — While initial exploitation and Rclone exfiltration generate network traffic, the use of Cloudflare tunnels and encrypted RDP sessions may obscure lateral movement payloads. Detection Difficulty: Moderate — The rapid pace of the attack and heavy use of legitimate tools (RMM, PDQ Deployer, LOLBins) can blend in with normal administrative activity, requiring behavioral correlation.
Required Log Sources
- Event ID 4624 (Logon)
- Event ID 4688 (Process Creation)
- Event ID 4720 (User Account Created)
- Event ID 4732 (Member Added to Local Group)
- Event ID 4657 (Registry Value Modified)
- Event ID 4104 (PowerShell Script Block Logging)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for the creation of local user accounts (e.g., 'netadmin') followed immediately by their addition to the local Administrators group. | Windows Security Event Logs (4720, 4732) | Persistence | Low |
| Identify instances of Cloudflare tunnel binaries being renamed to mimic legitimate Windows binaries like conhost.exe. | EDR Process Execution Logs | Lateral Movement | Low |
| Detect modifications to the UseLogonCredential registry key to enable WDigest credential caching. | EDR Registry Modification Logs | Credential Access | Low |
| Hunt for the execution of Rclone or Bandizip originating from unusual directories or spawned by RMM tools. | EDR Process Creation Logs | Exfiltration | Medium |
| Monitor for netsh commands attempting to modify the Windows Firewall to enable Remote Desktop. | EDR Process Execution Logs | Defense Evasion | Medium |
Control Gaps
- Lack of network segmentation for web-facing assets
- Unrestricted local administrator privileges
- Missing tamper protection for AV/EDR
Key Behavioral Indicators
- Renamed Cloudflare tunnel binaries (conhost.exe)
- Unexpected RMM tool installations (Atera, AnyDesk, etc.)
- Registry modifications to UseLogonCredential
- Execution of RunFileCopy.cmd via PDQ Deployer
False Positive Assessment
- Medium (The heavy reliance on legitimate administrative tools like PDQ Deployer, PsExec, and various RMMs may generate false positives if these tools are actively used by the organization's IT staff).
Recommendations
Immediate Mitigation
- Isolate vulnerable web-facing systems from the public internet or place them behind a WAF/VPN.
- Reset passwords for accounts used to install unapproved RMM services.
- Enable Microsoft Defender Tamper Protection tenant-wide.
Infrastructure Hardening
- Implement Credential Guard to protect credentials in LSASS.
- Configure DisableLocalAdminMerge to prevent local admins from modifying AV exclusions.
- Deploy Attack Surface Reduction (ASR) rules to block credential stealing and PsExec/WMI lateral movement.
User Protection
- Enforce the principle of least privilege and limit local administrator rights.
- Ensure local administrator passwords are not shared across the environment.
Security Awareness
- Educate IT teams on the risks of unapproved RMM tools and the importance of monitoring software deployment tools like PDQ Deployer.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1505.003 - Server Software Component: Web Shell
- T1136.001 - Create Account: Local Account
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1572 - Protocol Tunneling
- T1219 - Remote Access Software
- T1003.001 - OS Credential Dumping: LSASS Memory
- T1003.003 - OS Credential Dumping: NTDS
- T1112 - Modify Registry
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1560.001 - Archive Collected Data: Archive via Utility
- T1048 - Exfiltration Over Alternative Protocol
- T1486 - Data Encrypted for Impact
Additional IOCs
- Registry Keys:
UseLogonCredential- Modified to turn on WDigest credential caching.
- File Paths:
C:\Program Files (x86)\SmarterTools\SmarterMail\Service\wwwroot\result.txt- Output file from netsh command execution.
- Command Lines:
- Purpose: Create a new local administrator account for persistence | Tools:
net.exe| Stage: Persistence |net user netadmin - Purpose: Add newly created user to the local administrators group | Tools:
net.exe| Stage: Persistence |net localgroup administrators netadmin /add - Purpose: Enable Remote Desktop through Windows Firewall | Tools:
netsh.exe,cmd.exe| Stage: Defense Evasion |netsh advfirewall firewall set rule group="remote desktop" new enable=Yes - Purpose: Add C:\ drive to Microsoft Defender exclusion path | Tools:
powershell.exe| Stage: Defense Evasion
- Purpose: Create a new local administrator account for persistence | Tools:
- Other:
Atera RMM- RMM tool used for persistence and lateral movement.Level RMM- RMM tool used for persistence and lateral movement.N-able- RMM tool used for persistence and lateral movement.DWAgent- RMM tool used for persistence and lateral movement.MeshAgent- RMM tool used for persistence and lateral movement.ConnectWise ScreenConnect- RMM tool used for persistence and lateral movement.AnyDesk- RMM tool used for persistence and lateral movement.SimpleHelp- RMM tool used for persistence and lateral movement.PDQ Deployer- Legitimate software deployment tool used for lateral movement and ransomware deployment.Bandizip- Archive utility used for data collection prior to exfiltration.Rclone- Data synchronization tool used for exfiltration to cloud resources.