Close Menu
Cybercrime and Ransomware

Microsoft Links Zero-Day Flaws to Ransomware Affiliate Storm-1175

Staff WriterBy No Comments4 Mins Read0 Views

Quick Takeaways

  1. Microsoft Threat Intelligence reports that the cybercriminal group Storm-1175 exploited the CVE-2025-10035 vulnerability in GoAnywhere MFT to conduct multi-stage attacks, including ransomware deployment, since September 11.
  2. The vulnerability was exploited as a zero-day prior to Fortra’s public disclosure and patch on September 18, with evidence suggesting active exploitation starting at least a day earlier.
  3. Attackers used the flaw to install remote monitoring tools, drop web shells, move laterally across networks, and steal data via Rclone, ultimately deploying Medusa ransomware.
  4. Authorities and researchers highlight a lack of detailed communication from Fortra regarding the breach, with ongoing concerns about the extent of exploitation and the attribution to the Medusa ransomware affiliate.

Underlying Problem

Recently, a cybercriminal group called Storm-1175 exploited a critical security flaw, known as CVE-2025-10035, in Fortra’s GoAnywhere MFT, a popular file-transfer service. This vulnerability had been exploited before it was officially disclosed and patched on September 18, allowing the hackers to perform malicious activities such as deploying ransomware, installing remote monitoring tools, dropping web shells, and moving laterally across compromised networks. Microsoft Threat Intelligence reported these attacks happening as early as September 11, with evidence indicating that the attackers, motivated by financial gain, successfully used the flaw to gain remote access, steal data, and deploy Medusa ransomware—affecting organizations across various sectors including transportation, education, retail, insurance, and manufacturing. Despite mounting evidence from cybersecurity firms and federal authorities confirming active exploitation, Fortra has not yet confirmed if the vulnerability remains under attack or provided answers regarding how the hackers accessed sensitive keys, raising concerns about transparency and the potential scale of the impact.

Security Implications

Microsoft Threat Intelligence reports that the cybercriminal group Storm-1175 has exploited a critical zero-day vulnerability (CVE-2025-10035) in GoAnywhere MFT, a widely used file-transfer service, to launch multi-stage attacks—including deploying ransomware—since at least September 11. Using this flaw, the attackers achieved remote code execution, installed surveillance tools, dropped web shells, and moved laterally across networks, leading to data theft and ransomware deployment. These activities highlight the severity of the vulnerability, which was exploited prior to Fortra’s official patch on September 18, with evidence suggesting active exploitation began even earlier, around September 10. Despite confirmation from federal agencies and multiple security firms, Fortra has yet to clarify the extent of active exploitation or how attackers accessed private keys—leaving organizations vulnerable and in the dark about their specific risks. The ongoing exploitation underscores the growing threat posed by advanced, opportunistic cybercriminal groups that blend legitimate tools with stealth tactics to compromise systems across industries, risking substantial damage through data theft, extortion, and operational disruptions.

Possible Remediation Steps

Staying ahead of cyber threats like the Microsoft pins GoAnywhere zero-day attacks linked to the Storm-1175 ransomware affiliate is crucial for safeguarding organizational assets, maintaining trust, and avoiding costly downtime. Prompt and effective remediation can significantly reduce the risk of data breaches, financial loss, and reputational damage.

Mitigation Strategies

  • Patch Management: Apply the latest security updates and patches for GoAnywhere and affected Microsoft systems immediately.
  • Vulnerability Assessment: Conduct comprehensive scans to identify and remediate other exploitable weaknesses.
  • Network Segmentation: Isolate critical systems to contain potential breaches and limit lateral movement of attackers.

Remediation Procedures

  • Incident Response: Activate the incident response team to investigate and contain the attack swiftly.
  • Credential Reset: Change all compromised or suspicious credentials associated with affected accounts.
  • System Restoration: Restore impacted systems from secure backups to ensure clean and secure environments.
  • User Education: Train employees on recognizing and avoiding phishing or social engineering tactics that may lead to exploitation.

Advance Your Cyber Knowledge

Discover cutting-edge developments in Emerging Tech and industry Insights.

Understand foundational security frameworks via NIST CSF on Wikipedia.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.