The financially motivated threat actor known as Storm-0501 has been observed refining its tactics to conduct data exfiltration and extortion attacks targeting cloud environments.
“Unlike traditional on-premises ransomware, where the threat actor typically deploys malware to encrypt critical files across endpoints within the compromised network and then negotiates for a decryption key, cloud-based ransomware introduces a fundamental shift,” the Microsoft Threat Intelligence team said in a report shared with The Hacker News.
“Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom — all without relying on traditional malware deployment.”
Storm-0501 was first documented by Microsoft almost a year ago, detailing its hybrid cloud ransomware attacks targeting government, manufacturing, transportation, and law enforcement sectors in the U.S., with the threat actors pivoting from on-premises to cloud for subsequent data exfiltration, credential theft, and ransomware deployment.
The Windows maker told The Hacker News the latest wave of attacks targeting is opportunistic and not sector-specific, and that multiple organizations including schools, healthcare, and other entities have been attacked by the e-crime crew.
Assessed to be active since 2021, the hacking group has evolved into a ransomware-as-a-service (RaaS) affiliate delivering various ransomware payloads over the years, such as Sabbath, Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo.
“Storm-0501 has continued to demonstrate proficiency in moving between on-premises and cloud environments, exemplifying how threat actors adapt as hybrid cloud adoption grows,” the company said. “They hunt for unmanaged devices and security gaps in hybrid cloud environments to evade detection and escalate cloud privileges and, in some cases, traverse tenants in multi-tenant setups to achieve their goals.”
Typical attack chains involve the threat actor abusing their initial access to achieve privilege escalation to a domain administrator, followed by on-premises lateral movement and reconnaissance steps that allow the attackers to breach the target’s cloud environment, thereby initiating a multi-stage sequence involving persistence, privilege escalation, data exfiltration, encryption, and extortion.
Initial access, per Microsoft, is achieved through intrusions facilitated by access brokers like Storm-0249 and Storm-0900, taking advantage of stolen, compromised credentials to sign in to the target system, or exploiting various known remote code execution vulnerabilities in unpatched public-facing servers.
“Access brokers typically sell or provide footholds into organizations, which ransomware operators then use to launch their attacks,” Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, said.
“In the past, Storm-0501 and its affiliates have exploited known remote code execution vulnerabilities in unpatched, internet-facing servers, including products like Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016. By targeting these vulnerabilities, threat actors can bypass perimeter defenses and establish a presence inside the network, setting the stage for further compromise and ransomware deployment.”
In a recent campaign targeting an unnamed large enterprise with multiple subsidiaries, Storm-0501 is said to have conducted reconnaissance before laterally moving across the network using Evil-WinRM. The attackers also carried out what’s called a DCSync Attack to extract credentials from Active Directory by simulating the behavior of a domain controller.
“Leveraging their foothold in the Active Directory environment, they traversed between Active Directory domains and eventually moved laterally to compromise a second Entra Connect server associated with a different Entra ID tenant and Active Directory domain,” Microsoft said.
“The threat actor extracted the Directory Synchronization Account to repeat the reconnaissance process, this time targeting identities and resources in the second tenant.”
These efforts ultimately enabled Storm-0501 to identify a non-human synced identity with a Global Admin role in Microsoft Entra ID on that tenant, and lacking in multi-factor authentication (MFA) protections. This subsequently opened the door to a scenario where the attackers reset the user’s on-premises password, causing it to be synced to the cloud identity of that user using the Entra Connect Sync service.
Armed with the compromised Global Admin account, the digital intruders have been found to access the Azure Portal, registering a threat actor-owned Entra ID tenant as a trusted federated domain to create a backdoor, and then elevate their access to critical Azure resources, before setting the stage for data exfiltration and extortion.
“After completing the exfiltration phase, Storm-0501 initiated the mass-deletion of the Azure resources containing the victim organization data, preventing the victim from taking remediation and mitigation action by restoring the data,” Microsoft said.
“After successfully exfiltrating and destroying the data within the Azure environment, the threat actor initiated the extortion phase, where they contacted the victims using Microsoft Teams using one of the previously compromised users, demanding ransom.”
The company said it has enacted a change in Microsoft Entra ID that prevents threat actors from abusing Directory Synchronization Accounts to escalate privileges. It has also released updates to Microsoft Entra Connect (version 2.5.3.0) to support Modern Authentication to allow customers to configure application-based authentication for enhanced security.
“It is also important to enable Trusted Platform Module (TPM) on the Entra Connect Sync server to securely store sensitive credentials and cryptographic keys, mitigating Storm-0501’s credential extraction techniques,” the tech giant added.
(The story was updated after publication to include responses from Microsoft.)
