Storm-1175 is a threat actor using a rapid sequence of zero-day and N-day exploits to deploy Medusa ransomware against internet-facing assets. This high-velocity attack pattern has been highlighted by security researchers, who emphasize the heightened risk posed by exposed perimeter services and stolen credentials. Read this Cybersecurity Threat Advisory to reduce exposure and learn how to mitigate risk now.
What is the threat?
Storm-1175 is a financially motivated threat actor that weaponizes a mix of zero-day and N-day vulnerabilities to gain initial access to internet-facing services. In some cases, the group exploits zero-day vulnerabilities before they were public.
The group relies heavily on living-off-the-land binaries such as PowerShell and PsExec, uses Impacket for lateral movement, and frequently deploys legitimate remote monitoring and management (RMM) software to spread within networks. RMM tools typically provide higher levels of access which organizations often whitelist, allowing attackers to bypass standard endpoint detection and response (EDR) controls. These tools enable remote access, scripting, software deployment, and task orchestration—capabilities that attackers can easily abuse.
Once a foothold is established, Storm-1175 rapidly exfiltrates data and deploys Medusa ransomware. In some reported incidents, multiple exploits were used in quick succession to accelerate post-compromise activity.
Why is it noteworthy?
This activity is noteworthy because Storm-1175 has connection to 16 additional vulnerabilities over the past few years and has the ability to breach environments within 24 hours. The group operates at a rapid pace and often uses zero-day exploits that are disclosed only after active exploitation.
Storm-1175 primarily targets vulnerable, web-facing assets and repurposes widely used remote management tools—such as ConnectWise ScreenConnect, AnyDesk, SimpleHelp, Atera, and MeshAgent—for stealthy lateral movement and data exfiltration. This combination of speed, flexible tooling, and legitimate software means that even organizations with mature security programs can experience a compromise if they don’t consistently enforce patching and monitoring.
What is the exposure or risk?
The primary exposure stems from internet-facing services and the RMM tools associated with them. Storm-1175 targets exposed perimeter devices and uses legitimate remote access tools to blend in with normal network traffic. This makes detection more difficult and lateral movement easier.
Organizations that rely on RMM tools such as AnyDesk, Atera, MeshAgent, ConnectWise ScreenConnect, or SimpleHelp face increased risk. The group has also demonstrated a focus on Linux systems and has exploited Oracle WebLogic vulnerabilities. Critical sectors—including healthcare, education, and finance—are particularly at risk, especially when there is a delay in patching.
What are the recommendations?
Barracuda strongly recommends taking the following actions to reduce exposure and secure environments:
- Prioritize patching of internet-facing services and perimeter devices
- Enforce strong authentication for remote access and tighten access controls on exposed services
- Improve monitoring for unusual remote-access activity, new administrative accounts, and unexpected deployment of RMM tools or web shells
- Implement network segmentation and strict east-west traffic controls to limit lateral movement
- Deploy EDR/XDR to detect credential dumping, PsExec-like behavior, and suspicious PowerShell activity
- Establish proactive threat-hunting programs focused on exposed perimeter assets and RMM usage patterns
- Enable Firewall Advanced Threat Protection (ATP) in the Barracuda Dashboard to automatically block unauthorized traffic
- Apply focused exclusions rather than broad whitelisting for known RMM files
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html
- https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
- https://www.redpacketsecurity.com/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusaransomware-operations/
- https://gbhackers.com/microsoft-warns-storm-1175/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.
