Microsoft links Medusa ransomware affiliate to zeroday attacks

pPayouts King ransomware uses QEMU VMs to bypass endpoint securityppApple account change alerts abused to send phishing emailsppCritical flaw in Protobuf library enables JavaScript code executionppNIST to stop rating nonpriority flaws due to volume increaseppVercel confirms breach as hackers claim to be selling stolen datappApple account change alerts abused to send phishing emailsppNIST to stop rating nonpriority flaws due to volume increaseppEdit convert and sign PDFs fast with this 40 lifetime toolppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppMicrosoft says that Storm1175 a Chinabased financially motivated cybercriminal group known for deploying Medusa ransomware payloads has been deploying nday and zeroday exploits in highvelocity attacksppThis cybercrime gang quickly shifts to targeting new security vulnerabilities to gain access to its victims networks weaponizing some of them within a day and in some cases exploiting them a week before patches are releasedppStorm1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware often within a few days and in some cases within 24 hours Microsoft saidppThe threat actors high operational tempo and proficiency in identifying exposed perimeter assets have proven successful with recent intrusions heavily impacting healthcare organizations as well as those in the education professional services and finance sectors in Australia United Kingdom and United StatesppMicrosoft has also observed Storm1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts deploying remote monitoring and management software stealing credentials and disabling security software before dropping ransomware payloadsppIn October Microsoft reported that Storm1175 had been exploiting a maximumseverity GoAnywhere MFT vulnerability CVE202510035 in Medusa ransomware attacks for over one week before it was patchedppAnother vulnerability Storm1175 exploited as a zeroday was CVE202623760 an authentication bypass in SmarterTools SmarterMail email server and collaboration toolppWhile these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm1175 it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers and that the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw Microsoft addedppThese factors may have helped to facilitate subsequent zeroday exploitation activity by Storm1175 who still primarily leverages Nday vulnerabilitiesppIn recent campaigns Storm1175 has exploited more than 16 vulnerabilities across 10 software products including Microsoft Exchange CVE202321529 Papercut CVE202327351 and CVE202327350 Ivanti Connect Secure and Policy Secure CVE202346805 and CVE202421887 and ConnectWise ScreenConnect CVE20241709 and CVE20241708ppMicrosoft has also seen them exploit vulnerabilities in JetBrains TeamCity CVE202427198 and CVE202427199 SimpleHelp CVE202457726 CVE202457727 and CVE202457728 CrushFTP CVE202531161 SmarterMail CVE202552691 and BeyondTrust CVE20261731ppCISA issued a joint advisory with the FBI and the MultiState Information Sharing and Analysis Center MSISAC in March 2025 warning that the Medusa ransomware gangs attacks had impacted over 300 critical infrastructure organizations across the United StatesppIn July 2024 Microsoft also linked the Storm1175 threat group along with three other cybercrime gangs to Black Basta and Akira ransomware attacks that exploited a VMware ESXi authenticationbypass flawppAI chained four zerodays into one exploit that bypassed both renderer and OS sandboxes A wave of new exploits is comingppAt the Autonomous Validation Summit May 12 14 see how autonomous contextrich validation finds whats exploitable proves controls hold and closes the remediation loopppManager of botnet used in ransomware attacks gets 2 years in prisonppYanluowang ransomware access broker gets 81 months in prisonppPolice sinkholes 45000 IP addresses in cybercrime crackdownppInterpol operation Synergia takes down 1300 servers used for cybercrimeppPhobos ransomware admin pleads guilty to wire fraud conspiracyppNot a member yet Register NowppVercel confirms breach as hackers claim to be selling stolen datappRecently leaked Windows zerodays now exploited in attacksppMicrosoft Some Windows servers enter reboot loops after April patchesppCredit card fraud is getting more structured are you monitoring the sourcesppFrom vehicle research to cyber defense NMFTA leads with cybersecurity research threat insights and practical resources Learn MoreppNAKIVO Backup Replication v112 brings realtime replication and ransomware resilience See the full releaseppOverdue a password healthcheck Audit your Active Directory for freeppAI is a databreach time bomb Read the new reportppRead this new guide to AI adoption for IT and security teams before investing in AI tools ppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2026 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp