A threat actor has destroyed data and backups following exfiltration in a victim’s Microsoft Azure environment in a novel cloud-based ransomware attack.
Microsoft Threat Intelligence recently provided details of the tactics deployed by the actor tracked as Storm-0501 in a blog published on August 27. Ultimately the threat actor prevented the victim from taking effective remediation and mitigation action by restoring data.
The group leveraged cloud features and capabilities to rapidly exfiltrate and transmit large amounts of data from the victim environment to their own infrastructure. This enabled them to undertake an effective ransomware attack without relying on traditional malware on-premises deployment.
Storm-0501 is a financially motivated threat actor which has adapted its tactics on multiple occasions since it first emerged in 2021. This includes switching ransomware payloads multiple times, including the use of Embargo ransomware in 2024 attacks.
The group’s targeting is opportunistic and its victims include schools and healthcare organizations.
Microsoft previously reported in September 2024 that Storm-0501 had extended its on-premises ransomware operations into hybrid cloud environments.
Sherrod DeGrippo, director of Microsoft threat intelligence strategy, told Infosecurity that the campaign marks a significant evolution in ransomware techniques.
“We have previously seen threat actors targeting hybrid on-prem and cloud environments. In the case of Storm-0501, the threat actor is exfiltrating data, deleting backups, and encrypting data before demanding ransom. This, combined with the threat actor’s focus on obtaining persistent access shows a significant evolution for the ransomware landscape as a whole,” she commented.
“This technique is likely to be adopted by other threat actors on a broader basis,” DeGrippo added.
Storm-0501 Pivots to the Cloud
In the recent campaign, Storm-0501 compromised a large enterprise composed of multiple subsidiaries, each operating its own Active Directory domain.
Post compromise activity impacted two tenants, with the latter ultimately resulting in access to the organization’s valuable data stores that resided in Azure.
The attackers looked to pivot from on-premises to the cloud in both the tenants.
The attacker achieved domain administrator privileges in the first tenant. It deployed the post-exploitation tool Evil-WinRM to facilitate lateral movement.
The threat actor also compromised an Entra Connect Sync server, which served as a pivot point for lateral movement.
Additionally, Storm-0501 performed a DCSync attack, a technique that abuses the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller. By impersonating a domain controller, the threat actor could request password hashes for any user in the domain, including privileged accounts.
The Entra Connect Sync Directory Synchronization Account (DSA) was used to enumerate users, roles and Azure resources within the tenant.
Shortly after, Storm-0501 unsuccessfully attempted to sign in as several privileged users, likely blocked by conditional access policies and multifactor authentication (MFA).
The actor then turned its attention to the second tenant. This process began by traversing between Active Directory domains, eventually compromising a second Entra Connect server associated with a different Entra ID tenant.
The threat actor extracted the Directory Synchronization Account to repeat the reconnaissance process, this time targeting identities and resources in the second tenant.
The attacker identified a non-human synced identity that was assigned with the Global Administrator role in Microsoft Entra ID. This account lacked any registered MFA method, enabling them to reset the user’s on-premises password, which shortly after was then legitimately synced to the cloud identity of that user via the Entra Connect Sync service.
This allowed the threat actor to authenticate against Entra ID as that user via the new password, also registering a new MFA method under their control.
At this stage, the attacker worked to access the organizations Azure portal via the compromised global admin account.
This process involved lateral movement between different devices in the network until a successful sign-in to the portal was achieved.
“From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain. The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud,” the researchers noted.
Following successful authentication, the threat actor created a backdoor using a maliciously added federated domain, enabling them to sign in as almost any user.
Data Exfiltration and Deletion in Azure
Microsoft found that the Storm-0501 assigned itself the Owner Azure role over all the Azure subscriptions available by invoking the Microsoft.Authorization/roleAssignments/write operation.
From this point, the actor undertook a series of operations that led to data exfiltration and deletion. This included a comprehensive discovery phase to locate the organization’s critical assets, including data stores that contained sensitive information.
The group also abused the Azure Owner role to steal the access keys for Azure Storage accounts that had key access enabled.
After exposing the Azure Storage accounts, the actor exfiltrated the data contained in those accounts to their own infrastructure by abusing the AzCopy Command-line tool (CLI).
Once the exfiltration phase was completed, Storm-0501 initiated the mass-deletion of the Azure resources containing the victim organization data, using multiple Azure resource providers. This action prevented the victim from being able to restore the data.
For resources that remained protected from deletion by immutable policies, the group resorted to cloud-based encryption.
Finally, Storm-0501 contacted the victim via Microsoft Teams using a compromised user to initiate its extortion demands.
How to Defend Against Cloud-Based Ransomware Tactics
Microsoft provided specific recommendations for security teams to protect against the tactics employed by Storm-0501 in this incident. These include:
- Enable Azure blob backup to protect from accidental or malicious deletions of blobs or storage accounts
- Apply the principle of least privilege when authorizing access to blob data in Azure Storage
- Enable logs in Azure Key Vault and retain them for up to a year to enable recreation of activity trails for investigation purposes
- Enable Microsoft Azure Backup for virtual machines to protect the data on your Microsoft Azure virtual machines
- Investigate on-premises and hybrid Microsoft Security Exposure Management attack paths
Image credit: DANIEL CONSTANTE / Shutterstock.com
