Fast‑Moving Storm‑1175 Weaponizes New Vulnerabilities to Deploy Medusa Ransomware Across Healthcare, Finance, and Education
What Happened – China‑based ransomware group Storm‑1175 is rapidly exploiting freshly disclosed CVEs (e.g., CVE‑2026‑1731, CVE‑2023‑21529, CVE‑2024‑1709) to gain initial access to web‑facing systems and, within 24 hours, installs the Medusa ransomware payload. The campaign targets unpatched Windows and Linux environments in healthcare, education, finance and professional services across the US, UK and Australia.
Why It Matters for TPRM –
- The group’s “zero‑day‑to‑ransomware” speed outpaces typical patch‑management cycles, exposing third‑party vendors that rely on legacy or delayed updates.
- Multiple SaaS and on‑premise platforms (Microsoft Exchange, Ivanti, ConnectWise, JetBrains, etc.) are repeatedly weaponized, increasing supply‑chain risk for their customers.
- Rapid credential theft and lateral movement amplify data‑exfiltration risk, potentially impacting downstream partners.
Who Is Affected – Healthcare providers, universities, financial institutions, and managed service providers that host or integrate the listed vulnerable products.
Recommended Actions –
- Verify that all third‑party vendors have applied patches for the CVEs listed above within 24 hours of release.
- Conduct accelerated vulnerability scanning of web‑facing assets and enforce strict patch‑timelines for critical exposures.
- Review remote‑access and credential‑management controls for signs of newly created accounts or web‑shell activity.
Technical Notes – Attack vector: exploitation of newly disclosed vulnerabilities (CVE‑2023‑21529, CVE‑2024‑1709, etc.) leading to remote code execution, followed by credential theft, web‑shell deployment and Medusa ransomware payload delivery. Affected data includes patient records, student information, financial transaction logs, and proprietary business data. Source: Security Affairs