SOC Incident Toolkit
Back to Campaigns
High-Velocity Intrusions: Storm-1175 Chains Zero-Day and N-Day Exploits in Global Medusa Ransomware Campaign

High-Velocity Intrusions: Storm-1175 Chains Zero-Day and N-Day Exploits in Global Medusa Ransomware Campaign

Medusaransomwarezero-dayvulnerabilitiesStorm-1175

A China-based threat actor known for deploying Medusa Ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.

Indicators of Compromise

Hashes (4)

5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d190cefeb6210b7103fd32b996beff518c9b6e1691a97bb1cda7f5fb57905c4be969632d7e4a87ec12fdd05ed3532f7564526016b78972b2cd49a610354d672523ce57ba1a4e323094ca9d747bfb3304bd12f3ea3be5e2ee785a3e656c3ab1e8086

IPv4 (3)

134.195.91.22485.155.186.121185.135.86.149

APT Groups

Storm-1175

CN

Notes

<span id="docs-internal-guid-e8d922bb-7fff-58f4-7714-d9a1f54b2bd8"><h2 style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION</span></h2><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Storm-1175 demonstrates strategic adaptability by rapidly exploiting both zero-day and N-day vulnerabilities, allowing them to maintain a high operational tempo. This adaptability has enabled them to successfully target sectors such as healthcare, education, professional services, and finance in countries like Australia, the UK, and the US. The impact on these sectors is significant, as the attacks disrupt operations and compromise sensitive data. Organizations in these sectors should leverage SOCRadar IOC Radar to investigate indicators of compromise, and SOCRadar Dark Web Monitoring to detect potential credential leaks. Additionally, SOCRadar Cyber Threat Intelligence can help track the threat actor's tactics, techniques, and procedures, while SOCRadar Brand Protection can identify phishing domains. Finally, SOCRadar Attack Surface Management can provide visibility into exposed assets to prevent exploitation.</span></p><br></span>

Mitigation

<span id="docs-internal-guid-60b2ab9c-7fff-0b9b-1af7-a62d9eba3113"><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:34.5pt;"><td style="border-bottom:solid #e2e2e2 0.416667pt;vertical-align:top;background-color:#efefef;padding:7pt 11pt 7pt 11pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation ID</span></p></td><td style="border-bottom:solid #e2e2e2 0.416667pt;vertical-align:top;background-color:#efefef;padding:7pt 11pt 7pt 11pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation Name</span></p></td><td style="border-bottom:solid #e2e2e2 0.416667pt;vertical-align:top;background-color:#efefef;padding:7pt 11pt 7pt 11pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Description</span></p></td></tr><tr style="height:68.25pt;"><td style="border-bottom:solid #efefef 0.416667pt;border-top:solid #e2e2e2 0.416667pt;vertical-align:top;background-color:#efefef;padding:8pt 11pt 8pt 11pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.92;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1047/"><span style="font-size: 9.5pt; font-family: &quot; color: rgb(30, 58, 138); background-color: rgb(219, 234, 254); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1047</span></a></p></td><td style="border-bottom:solid #efefef 0.416667pt;border-top:solid #e2e2e2 0.416667pt;vertical-align:top;background-color:#efefef;padding:8pt 11pt 8pt 11pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.92;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Audit</span></p></td><td style="border-bottom:solid #efefef 0.416667pt;border-top:solid #e2e2e2 0.416667pt;vertical-align:top;background-color:#efefef;padding:8pt 11pt 8pt 11pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.92;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(85, 85, 85); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Perform audits or scans of systems, permissions, insecure software, and configurations to identify potential weaknesses. Covers system, permission, software, configuration, and network audits to detect anomalies and support compliance.</span></p></td></tr><tr style="height:68.25pt;"><td style="border-bottom:solid #efefef 0.416667pt;border-top:solid #efefef 0.416667pt;vertical-align:top;background-color:#efefef;padding:8pt 11pt 8pt 11pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.92;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1035/"><span style="font-size: 9.5pt; font-family: &quot; color: rgb(30, 58, 138); background-color: rgb(219, 234, 254); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1035</span></a></p></td><td style="border-bottom:solid #efefef 0.416667pt;border-top:solid #efefef 0.416667pt;vertical-align:top;background-color:#efefef;padding:8pt 11pt 8pt 11pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.92;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 17, 17); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Limit Access to Resource Over Network</span></p></td><td style="border-bottom:solid #efefef 0.416667pt;border-top:solid #efefef 0.416667pt;vertical-align:top;background-color:#efefef;padding:8pt 11pt 8pt 11pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.92;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(85, 85, 85); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Prevent access to file shares, remote systems, and unnecessary services. Restrict network resources to only those with a legitimate business need. May include network concentrators, RDP gateways, and zero-trust network access (ZTNA) models.</span></p></td></tr><tr style="height:99.140625pt;"><td style="border-top:solid #efefef 0.416667pt;vertical-align:top;background-color:#efefef;padding:8pt 11pt 8pt 11pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.92;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1053/"><span style="font-size: 9.5pt; font-family: &quot; color: rgb(30, 58, 138); background-color: rgb(219, 234, 254); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1053</span></a></p></td><td style="border-top:solid #efefef 0.416667pt;vertical-align:top;background-color:#efefef;padding:8pt 11pt 8pt 11pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.92;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 17, 17); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Data Backup</span></p></td><td style="border-top:solid #efefef 0.416667pt;vertical-align:top;background-color:#efefef;padding:8pt 11pt 8pt 11pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.92;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(85, 85, 85); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network. Implement IT disaster recovery plans that include regular backup procedures.</span></p></td></tr></tbody></table></div></span>