AI Autopsy: A New GoAnywhere Campaign Delivers Medusa Ransomware

Kate O’Flaherty explores how continuous monitoring and incident response can help in the battle against zero-day exploits

On September 18, Fortra released a patch for a maximum severity vulnerability in its GoAnywhere managed file transfer (MFT) tool. Tracked as CVE-2025-10035 and handed a maximum CVSS score of 10, the vulnerability can be exploited remotely in attacks without any user interaction.

Fortra’s initial advisory did not mention any active attacks. But it soon became clear that a group dubbed Storm-1175 had been exploiting the bug as a zero-day for nearly a month, in Medusa ransomware attacks. Seasoned CISOs may be forgiven for feeling a sense of déjà vu from a 2023 campaign targeting the same software. But there are a few differences worth noting and learning from.

Haven’t we been here before? 

In February 2023, Fortra fixed a remote code execution (RCE) vulnerability tracked as CVE-2023-0669 that was already being exploited in attacks. These were linked to another prolific adversary, the Cl0p cybercrime outfit, with victims appearing on the group’s Tor-based leak site, including cybersecurity firm Rubrik, Procter & Gamble and the UK’s Pension Protection Fund.

Although both campaigns used zero-day exploits, Cl0P’s overall approach was different, Bruce Jenkins, CISO at Black Duck, tells Assured Intelligence.

“While Cl0p’s operations were a smash-and-grab focused on data, Storm-1175 pursued full network compromise” Bruce Jenkins

“Cl0p focused on mass data theft and extortion, breaching over 130 organisations and threatening to publish stolen data unless ransoms were paid,” he says. “Unlike Storm-1175, Cl0p did not deploy ransomware in these attacks – the goal was to monetise stolen information, rather than disrupt operations.”

In fact, Cl0p used the same MO in campaigns targeting Progress Software’s and Accellion File Transfer Appliance installations in 2020/2021. While Cl0p’s operations were a “smash-and-grab” focused on data, Storm-1175 “pursued full network compromise, deploying ransomware and leveraging legitimate admin tools to evade detection”, Jenkins explains.

How attacks exploiting CVE-2025-10035 work

CVE-2025-10035 is a critical deserialisation flaw impacting GoAnywhere MFT’s License Servlet admin console to v7.8.3. It enables an attacker to bypass signature verification by crafting a forged license response signature. This “allows the deserialisation of arbitrary, attacker-controlled objects” and could lead to command injection and RCE, according to Microsoft Threat Intelligence.

“Public reports indicate that exploitation does not require authentication if the attacker can craft or intercept valid license responses, making this vulnerability particularly dangerous for internet-exposed instances,” Microsoft says. This is amplified by the fact that, after successful exploitation, attackers could “perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware.”

Assured Intelligence approached Fortra for further comment, but was directed to the firm’s analysis of the campaign. The vendor outlines key indicators of compromise (IoCs) that firms can look for in admin audit logs, such as unknown or new admin users. “Search log files in the ‘userdata/logs/’ directory for errors containing SignedObject.getObject: If this string is present in an exception stack trace, then the instance may have been affected by this vulnerability,” Fortra says.

Exploitation by Storm-1175

Storm-1175 has been using the GoAnywhere flaw in “a multi-stage attack”, according to Microsoft. To gain initial access, the attacker exploited the vulnerability and then maintained persistence by abusing the remote monitoring and management (RMM) tools SimpleHelp and MeshAgent.

“The Medusa affiliates behind this campaign didn’t rush to encryption” Curtis Simpson

“They dropped the RMM binaries directly under the GoAnywhere MFT process. In addition to these RMM payloads, the creation of .jsp files within the GoAnywhere MFT directories was observed, often at the same time as the dropped RMM tools,” Microsoft explains.

Storm-1175 executed user and system discovery commands and deployed tools such as Netscan for network discovery. Using mstsc.exe, the threat actor was able to move across systems within the compromised network. For command and control (C2), attackers utilised RMM tools to establish infrastructure and set up a Cloudflare tunnel for secure communication.

Some lessons learned

The attacks provide some valuable insight to inform CISOs’ defensive efforts in the future.

Be aware of the shorter time to exploitation

The time between a vulnerability being publicly disclosed and leveraged by malicious adversaries is rapidly reducing, says Sean Wright, head of application security at Featurespace. This means organisations need to ensure they apply security fixes promptly, especially for internet-facing infrastructure. “We are now talking about applying some of these updates in a matter of hours, as opposed to days,” he tells Assured Intelligence.

Speed makes all the difference, agrees Rob O’Connor, EMEA CISO at Insight. He advises treating the detection and remediation of vulnerabilities “as a race”, rather than a routine.

At the same time, firms can no longer solely rely on more traditional means of detecting vulnerabilities, such as vulnerability scanners, according to Featurespace’s Wright. “There is often a delay in these tools receiving information about new vulnerabilities, not to mention the time lag between scans.”

With this in mind, Wright recommends that companies subscribe to vendor security advisories. “This will allow them to get notifications about new updates as soon as possible,” he says.

Another valuable avenue is social media. “Any new attacks or high-profile vulnerabilities are communicated very quickly on social media, often with more speed than traditional media,” Wright claims.

Patch, patch, patch

Many firms still struggle to deploy patches in a timely fashion and may not have effective risk-based patch management processes in place.

A robust patching process is “a necessity”, says Wright. “This will allow required updates to be rolled out as quickly as possible, and at times out of ordinary business hours.”

Firms must ensure they can call on the appropriate team at any time of the day or night, and during weekends and holidays, Wright advises. “This is an important factor that organisations need to take into consideration – especially smaller firms who may not have an on-call rota.”

Monitor your systems

As zero-day flaws become more commonplace, firms need to know the tell-tale signs that they have already been hit by a breach. Curtis Simpson, CISO at Armis, highlights the importance of being aware of what’s going on in the technology stack.

“The Medusa affiliates behind this campaign didn’t rush to encryption,” he tells Assured Intelligence. “They spent time exploring, escalating privileges and exfiltrating data. These activities are noisy – but only if you’re monitoring effectively.”

The Storm-1175 exploitation of the GoAnywhere flaw shows how quickly attackers can exploit overlooked weak points, Insight’s O’Connor adds. “Orchestrate fine-tuned incident responses, review network segmentation, and establish immutable backups,” he says. “Test these regularly to boost operational resilience and limit impact.”

Sharing is caring

Being able to “absorb and act on threat intelligence” also helps, says Armis’ Simpson. Collaboration “remains a catalyst for meaningful change”, Insight’s O’Connor agrees. “By sharing best practices and threat intelligence across industries, CISOs can help to raise the collective security baseline through reducing response times, improving detection and reinforcing awareness,” he argues.

For CISOs, this means getting out and actively engaging with industry bodies, peers and customers – “discussing pain points, new findings, lessons learned and solutions”, O’Connor says.

The supply chain is another area to focus on, with CISOs urged to demand “ongoing, transparent dialogue” from vendors. “By discussing vulnerabilities and mitigation measures, both parties can take action before disaster strikes,” O’Connor concludes. “To achieve this, CISOs must hold vendors and internal teams accountable, requesting regular updates and transparency over potential risks.”