You are currently viewing Under Medusa’s Gaze: GoAnywhere Zero-Day Powers Ransomware Attacks

Under Medusa’s Gaze: GoAnywhere Zero-Day Powers Ransomware Attacks

  • Post author:
  • Reading time:8 mins read

Executive Summary

A critical deserialization vulnerability in Fortra GoAnywhere MFT (CVE-2025-10035 , with a CVSS score of 10.0) has been actively exploited by a Medusa ransomware affiliate tracked as Storm-1175 to gain unauthenticated remote code execution against internet-exposed Admin Consoles. Operators exploited the License Servlet (forged license response signatures that cause unsafe deserialization), dropped RMM tooling (SimpleHelp, MeshAgent), wrote .jsp web shells under GoAnywhere directories, performed discovery with netscan and native Windows commands, staged exfiltration with Rclone, and ultimately deployed Medusa ransomware. Fortra published fixes (GoAnywhere MFT 7.8.4, Sustain 7.6.3) and defenders are urged to patch, hunt for the SignedObject.getObject stack trace, and apply the CISA/FBI/MS-ISAC guidance on Medusa TTPs.

Background on Medusa

Medusa is a Ransomware-as-a-Service (RaaS) operation active since 2021 and responsible for impacting hundreds of organizations across critical infrastructure and enterprise sectors. The March 12, 2025 joint CISA/FBI/MS-ISAC advisory (AA25-071A) documented Medusa’s core TTPs – living-off-the-land (LotL) tradecraft, account hijacking, credential harvesting, scheduled tasks, service creation, and use of legitimate remote management tooling – all techniques leveraged to avoid detection and maximize extortion impact. The recent GoAnywhere zero-day (CVE-2025-10035) provided an unauthenticated initial access vector that Storm-1175 turned into full-kill-chain Medusa incidents.

Vulnerability Details

CVE-ID: CVE-2025-10035
CVSS Score: 10.0 (Critical)
EPSS Score: 82.41%
Vulnerability Type: Deserialization of untrusted data in the License Servlet (forged license response signature allows deserialization of attacker-controlled objects).
CWE: CWE-502 (Deserialization of Untrusted Data); indications of command-injection conditions.
Affected Software: Fortra GoAnywhere Managed File Transfer before 7.6.3, 7.7.0 prior to 7.8.4
Patched in: Upgrade to GoAnywhere MFT 7.8.4/Sustain 7.6.3; if immediate patching is impossible, isolate Admin Consoles from the internet, apply network access controls, and follow Fortra and Microsoft mitigation guidance.
Root Cause: The License Servlet accepts a signed license response object and deserializes it; if an attacker can craft a forged signature or otherwise cause a signed object to be processed, arbitrary object deserialization (and therefore code execution/command injection) can occur. This can be exploited remotely with low complexity and (in some configurations) without authentication.

Infection Method

Observed Storm-1175 / Medusa chains leveraging CVE-2025-10035:

  1. Initial Access – License Servlet Deserialization: Craft or replay a forged license response that passes signature checks, causing the License Servlet to call SignedObject.getObject (or similar) on attacker-controlled serialized data-deserialization leads to command injection / RCE in the GoAnywhere process. Hunts should search Admin logs for stack traces containing SignedObject.getObject.
  2. Drop & Execute Tools: Immediately drop binaries and artifacts under the GoAnywhere process tree – Microsoft observed RMM binaries (SimpleHelp, MeshAgent) being dropped and executed directly under the GoAnywhere process. .jsp files were also written to GoAnywhere web directories as web shells.
  3. Persistence & Remote Control: Use installed RMM (SimpleHelp, MeshAgent) to maintain remote control and create a stable C2 channel; operators also established a Cloudflare tunnel in some cases to forward persistent C2 traffic.
  4. Discovery & Lateral Movement: Run netscan for network discovery; execute native Windows discovery commands (whoami, hostname, tasklist, ipconfig /all, netstat -ano, systeminfo, sc query, net user, net localgroup, nltest /dclist, net share, net use, net group, driverquery, query user, etc.) and move laterally via mstsc.exe (Microsoft Remote Desktop). The CISA/AA25-071A advisory catalogs many of these exact commands and test cases.
  5. Credential Access & Privilege Escalation: Dump credentials via OS credential dumping techniques (LSASS memory via Mimikatz minidump), harvest cached credentials, and enable or modify accounts (e.g., create or enable local admin accounts via net user <name> /add and net localgroup Administrators <name> /add). CISA examples include net user, schtasks /create, registry modifications (e.g., HKLM\SYSTEM\CurrentControlSet\Control\Terminal Services\fDenyTSConnections and DisableRestrictedAdmin), and firewall changes via netsh advfirewall.
  6. Data Staging & Exfiltration: Stage targeted files and use Rclone to exfiltrate data to attacker-controlled cloud storage; attackers also archive data before exfiltration. Microsoft observed Rclone usage in at least one victim.
  7. Ransomware Deployment: Deploy Medusa samples to encrypt endpoints and servers, then post extortion demands. This is the final impact stage observed in multiple incidents.

Malware Behavior and Capabilities

Medusa incidents tied to CVE-2025-10035/Storm-1175 exhibit:

  • Unauthorized RCE: via License Servlet deserialization (SignedObject.getObject) – arbitrary command execution
  • RMM Abuse / C2: SimpleHelp and MeshAgent binaries installed; Cloudflare tunnels used for resilient C2.
  • Web Shells / JSPs: Creation of .jsp files in GoAnywhere directories for additional access and persistence.
  • Discovery & Lateral Movement: Use of netscan, mstsc.exe, and numerous native Windows commands (ipconfig /all, netstat -ano, systeminfo, sc query, nltest, net use, net share, etc.).
  • Credential Harvesting: LSASS dumping with Mimikatz (minidump technique) and other T1003 variants.
  • Exfiltration: Rclone used to copy staged datasets to cloud endpoints.
  • Encryption: Medusa binary execution that encrypts files and triggers extortion follow-up.

Techniques Include (MITRE ATT&CK Mapping)

(Explicit techniques/sub-techniques and concrete artifacts observed in reports and AA25-071A)

  • T1190 – Exploit Public-Facing Application: GoAnywhere License Servlet (CVE-2025-10035) deserialization exploit leading to RCE.
  • T1203 – Exploitation for Client Execution (Insecure Deserialization): SignedObject.getObject deserialization of attacker-controlled objects.
  • T1059.001 – PowerShell: Encoded PowerShell execution -enc -noni -nop -w hidden -ep bypass (CISA/AttackIQ test scenarios include Get-Host base64 example).
  • T1136.001 – Create Account: Local Account: net user <username> /add and net localgroup Administrators <username> /add to add local administrative users.
  • T1053.005 – Scheduled Task/Job: schtasks usage to create persistence tasks.
  • T1112 – Modify Registry / T1562.001 – Impair Defenses: Registry keys such as HKLM\SYSTEM\CurrentControlSet\Control\Terminal Services\fDenyTSConnections and DisableRestrictedAdmin modifications; netsh advfirewall to open ports.
  • T1003.001 – LSASS Memory: Dump LSASS via Mimikatz minidump technique to harvest credentials.
  • T1046 – Network Service Scanning: netscan use for host discovery.
  • T1021.001 – Remote Services: RDP: Use of mstsc.exe for lateral movement.
  • T1048 / T1570 – Exfiltration Over Alternative Protocols: Rclone uploading to cloud storage.
  • T1486 – Data Encrypted for Impact: Medusa ransomware encryption and extortion.

Visual: Medusa Attack Flow

[Attacker crafts forged license response – GoAnywhere License Servlet deserializes (SignedObject.getObject)]
– [RCE in GoAnywhere process]
– [Drop SimpleHelp / MeshAgent binaries + write .jsp web shells]
– [Install RMM; establish Cloudflare tunnel for persistent C2]
– [Run netscan; execute discovery commands (ipconfig /all, netstat -ano, systeminfo, sc query, whoami, nltest /dclist)]
– [Dump LSASS with Mimikatz; create local accounts (net user ...); create scheduled tasks (schtasks)]
– [Stage sensitive files; exfiltrate with Rclone]
– [Deploy Medusa ransomware – Encryption & Extortion]

(Each bracketed step above corresponds to concrete artifacts and commands observed in Microsoft, BleepingComputer, and the CISA AA25-071A advisory.)

IOCs (Indicators of Compromise)

Log / Application Indicators

  • SignedObject.getObject stack traces or errors in GoAnywhere Admin Console logs.
  • Creation timestamps or file paths for newly written .jsp files under GoAnywhere deployment directories.

Files / Tools / Binaries Observed

  • RMM: SimpleHelp binary artifacts; MeshAgent agent binary – dropped under GoAnywhere process context.
  • Exfiltration tool: rclone usage/commandline artifacts (rclone copy/sync commands to cloud destination).
  • Recon: netscan execution logs.
  • Ransomware: Medusa encryption binaries and ransom notes.

Commands / Registry / Network

  • Evidence of commands: net user, net localgroup, schtasks /create, ipconfig /all, netstat -ano, systeminfo, sc query, mstsc.exe.
  • Registry keys modified: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Services\fDenyTSConnections and DisableRestrictedAdmin (as used in CISA test scenarios).

Threat Actor Attribution

Storm-1175 (Microsoft-tracked affiliate linked to Medusa ransomware) has been observed exploiting CVE-2025-10035 starting September 11, 2025, using the deserialization flaw for initial access, RMM tooling for persistence (SimpleHelp, MeshAgent), netscan for discovery, Cloudflare tunnels for C2, Rclone for exfiltration, and then Medusa for impact. The activity profile and tooling show opportunistic ransomware affiliates that weaponize high-severity internet-facing flaws quickly after disclosure/patch availability.

Mitigation Steps

Immediate (within hours):

  1. Patch: Upgrade GoAnywhere MFT to 7.8.4/Sustain 7.6.3 per Fortra advisory. If you cannot patch immediately, isolate the Admin Console from public internet (remove port 80/443 access, place behind VPN or management jump hosts).
  2. Hunt for SignedObject.getObject: Search GoAnywhere Admin logs and webserver logs for stack traces or SignedObject.getObject strings. If found, assume compromise and begin containment.

Containment & Forensics:
3. Isolate impacted hosts: Segregate compromised MFT instances, collect memory (for LSASS dumps) and disk images, collect GoAnywhere logs (Admin, Tomcat/servlet logs), and preserve evidence.
4. Identify RMM / Exfil tools: Detect and remove SimpleHelp and MeshAgent binaries; look for rclone process execution and cloud destination indicators; delete suspicious .jsp files.

Hunting & Detection (SIEM / EDR rules):
5. EDR / AV in block mode: Enable EDR block mode and cloud-based ML protections; enable Microsoft Defender attack surface reduction rules (or equivalent) that block web shell creation and suspicious process behaviors.
6. Detect commands/registry changes: Create detections for schtasks /create, net user with account creation, netsh advfirewall changes, LSASS minidump activity, mstsc.exe spawning from unexpected parents, netscan process executions, and outbound connections consistent with Cloudflare tunnels or rclone transfers. Use capture of process parent/child trees to triage.

Network & Access Controls:
7. Restrict Admin Console access: IP allowlist Admin Console; enforce MFA for management access; require jump boxes/VPN for administrative operations.
8. Egress filtering: Block unapproved outbound protocols and destinations from MFT servers; restrict access to cloud storage providers where possible; monitor large/abnormal outbound uploads.

Longer term / Policy:
9. Harden identity & secrets: Rotate service account credentials used by MFT instances; enforce least privilege for service accounts; review scheduled tasks and services for persistence artifacts.
10. Threat intel & reporting: Report confirmed compromises to law enforcement and coordinate with CISA/FBI/MS-ISAC; subscribe to vendor and government advisories for KEV timelines.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.