All news with #medusa tag

⚠️ Microsoft warns that Storm-1175 — an actor linked to Medusa ransomware — is rapidly exploiting internet-facing systems, often moving from initial access to data theft and encryption within 24 hours. The group has abused more than 16 vulnerabilities since 2023, including zero-days, and frequently chains exploits to establish persistence and accelerate operations. Targets include healthcare, education, professional services, and finance in Australia, the UK and the US.

⚠️ Microsoft says financially motivated actor Storm-1175 has run a high-tempo campaign that weaponizes both n-day and zero-day vulnerabilities to deliver Medusa ransomware against internet-facing systems. The group has exploited at least 16 flaws since 2023, including the zero-day CVE-2025-10035 affecting GoAnywhere MFT, and has impacted healthcare, education, professional services and finance in Australia, the UK and the US. Recommended protections include perimeter scanning, isolating web-facing systems behind VPNs, WAFs or a DMZ, enforcing MFA for RMM tools, enabling tamper protection and configuring XDR to detect and block common ransomware tactics.

🔒 China-linked threat actor Storm-1175 has been observed exploiting a mix of zero-day and N-day flaws to quickly compromise internet-facing systems and deploy Medusa ransomware. Microsoft reports the group moves with high operational tempo, chaining exploits and abusing legitimate RMM tools to evade detection. Targets include healthcare, education, professional services and finance across Australia, the UK and the US. Intrusions often lead to rapid data exfiltration and encryption within days, sometimes under 24 hours.

🛡️ Microsoft says the China-based, financially motivated threat group Storm-1175, an affiliate that deploys Medusa ransomware, has been rapidly weaponizing n-day and zero-day vulnerabilities to gain access and move to data exfiltration and encryption within days, sometimes within 24 hours. Microsoft observed the operators chaining exploits to create accounts, deploy remote management tools, steal credentials, and disable security controls before dropping ransomware, with recent victims across healthcare, education, professional services, and finance in Australia, the United Kingdom, and the United States.

🔒Storm-1175 conducts high-tempo ransomware campaigns that rapidly weaponize recently disclosed and, in some cases, pre-disclosure zero-day vulnerabilities to gain initial access to web-facing systems. After exploitation the actor moves quickly to establish persistence, perform credential theft, tamper with security controls, and exfiltrate data before deploying Medusa ransomware. Microsoft observed intrusions affecting healthcare, education, professional services, and finance across Australia, the United Kingdom, and the United States, often completing impact within days or less. Recommended defenses include perimeter asset discovery, robust patching, RMM hardening, and tamper protection for endpoint security.

🔐 Symantec and Carbon Black researchers linked a new wave of Medusa ransomware activity to North Korean state-backed actors within the broader Lazarus umbrella, noting deployments against a Middle East target and attempted intrusions into US healthcare. Medusa, a 2023 ransomware-as-a-service operated by Spearwing, has been tied to more than 366 incidents and recent listings of US healthcare and non-profit victims with average demands near $260,000. Analysts observed a toolkit—including Comebacker, Blindingcan, ChromeStealer and Mimikatz—that resembles previous Stonefly operations but cautioned the components are not exclusive to a single sub-group.

🔒 Broadcom's Symantec and Carbon Black Threat Hunter Team reports the North Korea-linked Lazarus Group used Medusa ransomware in an attack against an unnamed Middle East entity and mounted an unsuccessful attempt against a U.S. healthcare organization. Medusa is a RaaS launched by Spearwing in 2023 and has been tied to hundreds of incidents. Analysts say this reflects a tactical shift toward off-the-shelf ransomware and affiliate operations, with the campaign leveraging tools such as RP_Proxy, Mimikatz, Comebacker, InfoHook, BLINDINGCAN, and ChromeStealer.

🔒 Symantec says a North Korean Lazarus subgroup is using Medusa ransomware to extort U.S. healthcare organizations, marking the first public linkage between Lazarus and Medusa. The attacks combine commodity utilities with custom tools — Comebacker, Blindingcan, ChromeStealer, Infohook, Mimikatz and RP_Proxy — and have hit multiple healthcare and non-profit victims. Symantec published IoCs and warns demands can reach $15 million.

🛡️ Shanya is a packer-as-a-service used by multiple ransomware gangs to conceal payloads that disable endpoint detection and response (EDR) tools. The service returns a custom, encrypted wrapper that decrypts and decompresses the payload entirely in memory and inserts it into a memory-mapped copy of shell32.dll, avoiding disk artifacts. Sophos telemetry links Shanya-packed samples to Medusa, Qilin, Crytox and Akira, and notes techniques that crash user-mode debuggers and facilitate DLL side-loading to deploy EDR killers.

🔒 SimonMed Imaging is notifying more than 1.2 million individuals that attackers accessed its network between January 21 and February 5, 2025. The company says hackers stole data and the Medusa ransomware group claimed a 212 GB exfiltration and published proof files including ID scans, medical reports, payment details and raw scans. SimonMed reset passwords, implemented multifactor authentication, deployed EDR, removed vendor access, restricted traffic, notified law enforcement and is offering affected people free Experian identity monitoring.

🔒 Fortra disclosed its investigation into CVE-2025-10035, a deserialization vulnerability in the GoAnywhere License Servlet that has been exploited since September 11, 2025. The vendor issued a hotfix within 24 hours and published patched builds (7.6.3 and 7.8.4) on September 15, saying the risk is limited to admin consoles exposed to the public internet. Microsoft attributes observed exploitation to threat actor Storm-1175, which deployed Medusa ransomware; Fortra recommends restricting internet access to admin consoles, enabling monitoring, and keeping software up to date.

🔒 Microsoft attributed active exploitation of a critical Fortra GoAnywhere vulnerability (CVE-2025-10035, CVSS 10.0) to the cybercriminal group Storm-1175, which has been observed deploying Medusa ransomware. The flaw is a deserialization bug that can permit unauthenticated command injection when a forged license response signature is accepted. Fortra released fixes in GoAnywhere 7.8.4 and Sustain Release 7.6.3; organizations should apply updates immediately and hunt for indicators such as dropped RMM tools, .jsp web shells, Cloudflare tunnels and Rclone usage.

⚠️ Microsoft warns that a critical deserialization vulnerability in GoAnywhere MFT (CVE-2025-10035) has been actively exploited by a Medusa ransomware affiliate tracked as Storm-1175 since early September. The License Servlet flaw enables remote compromise without user interaction, allowing attackers to gain initial access and persist via abused RMM tools. Administrators should apply Fortra's patches and inspect logs for SignedObject.getObject stack traces.

🔒 Microsoft Threat Intelligence warns of active exploitation of a critical deserialization vulnerability in GoAnywhere MFT License Servlet (CVE-2025-10035, CVSS 10.0) that can allow forged license responses to trigger arbitrary object deserialization and potential remote code execution. Activity attributed to Storm-1175 included initial access via this flaw, deployment of RMM tools (SimpleHelp, MeshAgent), and at least one Medusa ransomware incident. Customers should upgrade per Fortra guidance, run EDR in block mode, restrict outbound connections, and use the provided Defender detections and IoCs for hunting and response.

🧑‍💻 Threat actors claiming to represent Medusa contacted BBC cybersecurity correspondent Joe Tidy via Signal in July, offering him a cut of any ransom in exchange for providing access to BBC systems. They initially offered 15% of the paid ransom, later adding an extra 10% and even proposing 0.5 BTC placed in escrow. When Tidy hesitated, the actors launched MFA bombing attempts; he alerted the BBC security team and was disconnected from corporate systems as a precaution.

🔒 MedusaLocker, a ransomware-as-a-service (RaaS) group active since 2019, has posted a dark web job advert openly recruiting penetration testers and insiders who already have direct access to corporate networks. The advert explicitly instructs applicants not to apply unless they possess network access, signalling a preference for initial access brokers and company insiders. CISA previously linked MedusaLocker to exploitation of RDP vulnerabilities, and the group’s tactic highlights the blurred line between legitimate pentesting and criminal activity. Organisations should prioritise layered defenses, authorised penetration testing, and strict controls over remote access and privileged accounts.