In the last few months, a rule that every security officer should have in place has become evident: when a malicious actor combines speed, technical knowledge and access to zero-day exploits, the response margin is drastically reduced. A group linked to China, identified by intelligence teams like Storm-1175, has been exploiting this combination to infiltrate exposed networks on the Internet and deploy the ansomware known as Medusa. Its modus operandi is based on rapid movements, vulnerability mapping and the strategic use of legitimate tools, which makes it difficult to detect and speed up the damage.
Microsoft researchers have documented how this band does not just take advantage of already reported failures: it has repeatedly used zero-day vulnerabilities before they were public and has mixed recent exploits with others already known to open doors and advance in the compromised environment. The result has been intrusions that have particularly affected health organizations, but also educational centres, professional offices and financial institutions in countries such as Australia, the United Kingdom and the United States. For more context on Microsoft's work in these investigations, it is appropriate to review its security section: Microsoft Security Blog.
One of the features that makes actors like Storm-1175 dangerous is the speed with which they transform access into impact. In several incidents, they have managed to steal information and set up systems within days; in isolated cases, even within 24 hours of the initial door. This cadence requires not only patches, but early detection and measures imposed quickly. The vulnerabilities exploited by the group since 2023 include failures in mail servers, remote management platforms and collaborative tools, many of which are publicly registered on bases such as NIST (NVD). For specific examples see, for example, the CVE-2023-21529 tab in NVD: CVE-2023-21529 or CVE-2024-1708 related to remote control solutions: CVE-2024-1708. In addition, if you want to follow the exploited vulnerabilities in a massive way and prioritize parking, the CISA guide on known exploited vulnerabilities is a useful resource: CISA - Known Exploited Vulnerabilities Catalog.
Beyond the range of technical failures, the Storm-1175 tactic reveals another worrying trend: the reuse of legitimate tools to hide malicious activity. The attackers are often based on RMM (Remote Monitoring and Management), remote administration applications or system utilities - the so-called LOLBins - to move laterally and minimize noise. Tools like PowerShell, PsExec, commercial remote management utilities and deployment packages have been used both to run legitimate commands and to spread malicious loads. This mixture complicates the identification of the attack because traffic and actions fit valid administrative patterns.
In the post-intrusion phase the typical chain that analysts have observed includes creating new accounts for persistence, installation of web shells, abuse of commercial RMM to move over the network, dumping of credentials with tools such as Mimikatz or network frameworks, and setting exclusions in antivirus solutions to prevent malicious binaries from being blocked. For the exfiltration of information, the use of archiving and synchronization utilities has been reported that make it easier to pack and move large volumes of data outside the network. All this ends with the activation of Medusa, which is active and usually accompanied by rescue demands.
In the face of this scenario there are concrete and pragmatic measures that, without being infallible, significantly increase the operating cost for the attackers. The first is to close the temporary window between the disclosure of a patch and its application: it is not enough to know the patches, they must be deployed with priority on the exposed surfaces. Network segmentation and limited access to critical Internet services help reduce the "reach" of a successful explosion. It is equally important to control and audit the use of remote management tools; if used, they must be configured with strong authentication, limited access, and specific monitoring proposals. For those who manage business environments, recommendations to strengthen multifactor authentication, limit privileges, enable telemetry and prepare incident response procedures remain valid and urgent.
There is also an organizational lesson: financial attackers like Storm-1175 exploit not only technical vulnerabilities, but slow or fragmented processes. An entity with dispersed patching policies, without full inventory of exposed services or with intensive use of third-party solutions (RMM, support tools) offers much more fertile ground than one that has strict control of its perimeter and continuous visibility of its telemetry. The work is both technical and human: training teams, reviewing contracts and external dependencies, and maintaining response playbooks can make a difference.
For those who want to deepen technical details and the signs of commitment that this type of campaign leaves behind, it is recommended to combine sources of security manufacturers with national vulnerability databases and notices. In addition to the Microsoft blog cited above and the NVD database, the notices from agencies such as CISA or reports from detection and response providers provide indicators and mitigation proposals with practical examples. For example, the list of vulnerabilities exploited by active actors can be consulted and crossed with its inventory to prioritize actions: NVD - National Vulnerability Database and CISA They're good starting points.
The fact that a band like Storm-1175 places a priority on speed, explosive chains and the use of legitimate infrastructure is a reminder that modern security requires rhythm and discipline. It is not just about putting patches, but about building controls that detect anomalies in the use of administrative tools, that restrict lateral movement and that allow action in hours, not weeks. In a world where attackers can access vulnerabilities before public disclosure, resilience and organized response are the best defense.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...