The people behind Storm-1175 are stepping up their attacks with quick campaigns that are meant to spread the Medusa ransomware This article explores spread medusa ransomware. . This makes it hard for businesses to quickly fix important security holes.
Microsoft says that this group is responsible for taking advantage of a number of zero-day vulnerabilities. The tech giant said that the speed of these attacks shows how threat actors are getting better at taking advantage of weaknesses before patches are available. The most recent case involves a serious flaw in SmarterMail that lets people bypass authentication. This flaw has been used by several threat actors, including members of the China-based Storm-2603 group.
It's important to note that ransomware attacks have already targeted GoAnywhere's Managed File Transfer (MFT) License Servlet.
Microsoft said that the use of N-days and zero-days shows how the threat landscape is changing and how traditional patching methods may not be enough. People with bad intentions changed the configuration files in Windows' Registry so that Medusa payloads could run. Microsoft pointed out that this kind of tampering requires getting high-level credentials first, which makes the first part of Storm-1175's attack chain very important.
Microsoft told businesses to keep their web-facing systems separate from the public internet and protect any servers that need outside access with Web Application Firewalls, proxies, or Demilitarized Zones (DMZs). The company also told customers to turn on Windows' Credential Guard feature, which protects credentials that are stored in process memory.
The company told customers to turn on Windows Defender Antivirus' tamper protection for all tenants and use the "DisableLocalAdminMerge" setting. This setting stops attackers from using local administrator rights to remove antivirus exclusions. It is very important to give priority to alerts about credential theft activity, which usually means that an attacker is already in the environment.
