In September 2024, Microsoft exposed that Storm-1175 utilized CVE-2025-10035, a maximum-severity zero-day vulnerability in GoAnywhere MFT, to initiate complex attacks including ransomware. Exploitation included installing remote monitoring tools, deploying web shells, lateral movement using Windows utilities, and data theft with Rclone, culminating in Medusa ransomware deployments. This activity was detected prior to Fortra’s public disclosure and patch release, indicating a significant head start for attackers.
Multiple cybersecurity firms and federal agencies confirmed active exploitation and added CVE-2025-10035 to exploited vulnerability catalogs. The attacks targeted industries such as transportation, education, retail, insurance, and manufacturing. Although the extent of impacted organizations is unclear, the current situation echoes a similar large-scale compromise from two years prior due to another GoAnywhere vulnerability. The lack of transparency from Fortra regarding the root causes and detailed indicators of compromise remains a concern for customers and the wider security community.
Storm-1175’s tactics exemplify the increasing trend of blending legitimate administrative tools with stealthy techniques for ransomware operations and data exfiltration. This underscores risks for organizations running GoAnywhere MFT to maintain vigilance and seek timely patches. The ongoing silence from Fortra highlights the critical need for vendor accountability and transparency during active exploitation incidents to better protect users and critical infrastructure.
👉 Pročitaj original: CyberScoop
