A threat actor known as Storm-1175 is actively exploiting a critical vulnerability in Fortra's GoAnywhere MFT secure file transfer tool. The flaw, CVE-2025-10035, is a deserialization issue that allows remote code execution without user interaction. Microsoft confirmed the group has been using this vulnerability since at least September 11 to deploy Medusa ransomware.
After gaining initial access, the attackers use remote monitoring tools like SimpleHelp for persistence. They then conduct network reconnaissance, move laterally using Remote Desktop, and exfiltrate data with tools like Rclone before launching the ransomware. This campaign follows a history of Medusa targeting critical infrastructure, having impacted over 300 U.S. organizations.
Fortra patched the vulnerability on September 18, but researchers had evidence of it being exploited as a zero-day since September 10. With hundreds of instances still exposed online, administrators are urged to upgrade immediately and inspect logs for "SignedObject.getObject" errors to check for compromise.
Read more...