The financially motivated risk actor often called Storm-0501 has been noticed refining its techniques to conduct knowledge exfiltration and extortion assaults concentrating on cloud environments.
“Not like conventional on-premises ransomware, the place the risk actor usually deploys malware to encrypt essential recordsdata throughout endpoints inside the compromised community after which negotiates for a decryption key, cloud-based ransomware introduces a basic shift,” the Microsoft Menace Intelligence staff mentioned in a report shared with The Hacker Information.
“Leveraging cloud-native capabilities, Storm-0501 quickly exfiltrates massive volumes of knowledge, destroys knowledge and backups inside the sufferer surroundings, and calls for ransom — all with out counting on conventional malware deployment.”
Storm-0501 was first documented by Microsoft virtually a yr in the past, detailing its hybrid cloud ransomware assaults concentrating on authorities, manufacturing, transportation, and regulation enforcement sectors within the U.S., with the risk actors pivoting from on-premises to cloud for subsequent knowledge exfiltration, credential theft, and ransomware deployment.
Assessed to be energetic since 2021, the hacking group has developed right into a ransomware-as-a-service (RaaS) affiliate delivering numerous ransomware payloads over time, similar to Sabbath, Hive, BlackCat (ALPHV), Hunters Worldwide, LockBit, and Embargo.
“Storm-0501 has continued to exhibit proficiency in shifting between on-premises and cloud environments, exemplifying how risk actors adapt as hybrid cloud adoption grows,” the corporate mentioned. “They hunt for unmanaged units and safety gaps in hybrid cloud environments to evade detection and escalate cloud privileges and, in some instances, traverse tenants in multi-tenant setups to attain their targets.”
Typical assault chains contain the risk actor abusing their preliminary entry to attain privilege escalation to a website administrator, adopted by on-premises lateral motion and reconnaissance steps that permit the attackers to breach the goal’s cloud surroundings, thereby initiating a multi-stage sequence involving persistence, privilege escalation, knowledge exfiltration, encryption, and extortion.
Preliminary entry, per Microsoft, is achieved by intrusions facilitated by entry brokers like Storm-0249 and Storm-0900, benefiting from stolen, compromised credentials to check in to the goal system, or exploiting numerous identified distant code execution vulnerabilities in unpatched public-facing servers.
In a latest marketing campaign concentrating on an unnamed massive enterprise with a number of subsidiaries, Storm-0501 is claimed to have carried out reconnaissance earlier than laterally shifting throughout the community utilizing Evil-WinRM. The attackers additionally carried out what’s referred to as a DCSync Assault to extract credentials from Lively Listing by simulating the conduct of a website controller.
“Leveraging their foothold within the Lively Listing surroundings, they traversed between Lively Listing domains and ultimately moved laterally to compromise a second Entra Join server related to a unique Entra ID tenant and Lively Listing area,” Microsoft mentioned.
“The risk actor extracted the Listing Synchronization Account to repeat the reconnaissance course of, this time concentrating on identities and sources within the second tenant.”
These efforts finally enabled Storm-0501 to establish a non-human synced id with a International Admin function in Microsoft Entra ID on that tenant, and missing in multi-factor authentication (MFA) protections. This subsequently opened the door to a state of affairs the place the attackers reset the consumer’s on-premises password, inflicting it to be synced to the cloud id of that consumer utilizing the Entra Join Sync service.
Armed with the compromised International Admin account, the digital intruders have been discovered to entry the Azure Portal, registering a risk actor-owned Entra ID tenant as a trusted federated area to create a backdoor, after which elevate their entry to essential Azure sources, earlier than setting the stage for knowledge exfiltration and extortion.
“After finishing the exfiltration part, Storm-0501 initiated the mass-deletion of the Azure sources containing the sufferer group knowledge, stopping the sufferer from taking remediation and mitigation motion by restoring the info,” Microsoft mentioned.
“After efficiently exfiltrating and destroying the info inside the Azure surroundings, the risk actor initiated the extortion part, the place they contacted the victims utilizing Microsoft Groups utilizing one of many beforehand compromised customers, demanding ransom.”
The corporate mentioned it has enacted a change in Microsoft Entra ID that stops risk actors from abusing Listing Synchronization Accounts to escalate privileges. It has additionally launched updates to Microsoft Entra Join (model 2.5.3.0) to assist Trendy Authentication to permit prospects to configure application-based authentication for enhanced safety.
“It’s also necessary to allow Trusted Platform Module (TPM) on the Entra Join Sync server to securely retailer delicate credentials and cryptographic keys, mitigating Storm-0501’s credential extraction methods,” the tech large added.
