HomeIntelligenceBrief
BREACH BRIEF🟠 High Ransomware

Medusa Ransomware Affiliate Storm‑1175 Deploys Zero‑Day Exploits Across Healthcare, Education, Finance Sectors

Microsoft links the China‑based Storm‑1175 group to a wave of high‑velocity ransomware attacks that weaponise zero‑day and n‑day vulnerabilities. Victims span healthcare, education, professional services, and finance in Australia, the UK, and the US, highlighting urgent third‑party risk concerns.

LiveThreat™ Intelligence · 📅 April 06, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
RW
Type
Ransomware
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

Medusa Ransomware Affiliate Storm‑1175 Deploys Zero‑Day Exploits Across Healthcare, Education, Finance Sectors

What Happened — Microsoft attributes a surge of high‑velocity attacks to Storm‑1175, a China‑based group that runs the Medusa ransomware affiliate. The gang has been weaponising both n‑day and zero‑day vulnerabilities—sometimes within 24 hours of discovery—and chaining multiple exploits to gain persistence before encrypting data. Recent campaigns have hit healthcare providers, universities, professional‑services firms, and financial institutions in Australia, the United Kingdom, and the United States.

Why It Matters for TPRM

  • The rapid weaponisation of zero‑days shows a threat actor with access to exploit brokers, raising the likelihood of supply‑chain compromise for third‑party vendors.
  • Multi‑product targeting (GoAnywhere MFT, SmarterMail, Microsoft Exchange, etc.) expands the attack surface across many SaaS and on‑premises solutions that organisations may rely on.
  • Early‑stage data exfiltration and credential theft precede ransomware, increasing the risk of downstream breaches of partner data.

Who Is Affected — Healthcare, Education, Professional Services, Financial Services; vendors of Managed File Transfer, Email/Collaboration, Identity & Access Management, and remote‑monitoring tools.

Recommended Actions

  • Review contracts and security controls for any third‑party services that use the listed vulnerable products.
  • Verify that vendors have rapid patch‑management processes and can provide evidence of zero‑day mitigation (e.g., virtual patching, application‑allow‑list).
  • Implement multi‑factor authentication and least‑privilege account provisioning to limit credential‑theft impact.

Technical Notes — Storm‑1175 leveraged CVE‑2025‑10035 (GoAnywhere MFT), CVE‑2026‑23760 (SmarterMail authentication bypass), and a suite of 16 other CVEs across Microsoft Exchange, Papercut, Ivanti, ConnectWise, JetBrains TeamCity, SimpleHelp, CrushFTP, and BeyondTrust. Attack vectors included vulnerability exploitation, credential theft, creation of rogue user accounts, and disabling of security tools before ransomware deployment. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/microsoft-links-medusa-ransomware-affiliate-to-zero-day-attacks/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →