The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
By leveraging cloud-native capabilities, analysis from the tech giant shows Storm-0501 exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom — all at speed and without relying on traditional malware deployment.
This time last year, Microsoft warned that Storm-0501 had extended its on-premises ransomware operations into hybrid cloud environments.
The group has shown to have compromised Active Directory environments before pivoting to Microsoft Entra ID, escalating privileges on hybrid and cloud identities to gain global administrator privileges.
"Storm-0501 has continued to demonstrate proficiency in moving between on-premises and cloud environments, exemplifying how threat actors adapt as hybrid cloud adoption grows," said the Microsoft Threat Intelligence team.
"They hunt for unmanaged devices and security gaps in hybrid cloud environments to evade detection and escalate cloud privileges and, in some cases, traverse tenants in multi-tenant setups to achieve their goals."
How Storm-0501 operates
Microsoft gives the example of one recent campaign in which Storm-0501 compromised a large enterprise composed of multiple subsidiaries. Each operated its own Active Directory domain, all interconnected through domain trust relationships and enabling cross-domain authentication and resource access.
However, only one tenant had Microsoft Defender for Endpoint deployed, and devices from multiple Active Directory domains were onboarded to this single tenant’s license, creating visibility gaps across the environment.
Storm-0501 checked for the presence of Defender for Endpoint services, suggesting a deliberate effort to avoid detection by targeting non-onboarded systems, Microsoft said.
Lateral movement was facilitated using Evil-WinRM, a post-exploitation tool that utilizes PowerShell over Windows Remote Management (WinRM) for remote code execution.
Commands were executed over sessions initiated with Evil-WinRM, as well as discovery using other common native Windows tools and commands such as quser.exe and net.exe.
Earlier in the attack, Storm-0501 had compromised an Entra Connect Sync server that was not onboarded to Defender for Endpoint - and which Microsoft reckons was used as a pivot point, with the group establishing a tunnel to move laterally within the network.
It also carried out a DCSync attack, abusing the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller - allowing it to request password hashes for any user in the domain, including privileged accounts.
It then pivoted to the cloud, leveraging the Entra Connect Sync Directory Synchronization Account (DSA) to enumerate users, roles, and Azure resources within the tenant using AzureHound.
"Shortly thereafter, the threat actor attempted to sign in as several privileged users. These attempts were unsuccessful, blocked by Conditional Access policies and multi-factor authentication (MFA) requirements," said the team.
"This suggests that while Storm-0501 had valid credentials, they lacked the necessary second factor or were unable to satisfy policy conditions."
In response, Storm-0501 shifted tactics, traversing between Active Directory domains and eventually moving laterally to compromise a second Entra Connect server and identify an admin identity that didn't have MFA enabled - allowing it to assign a new password.
"From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain," researchers said.
"The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- MSPs beware – these two ransomware groups are ramping up attacks and have claimed hundreds of victims
- Malware as a service explained: What it is and why businesses should take note
- Nearly half of MSPs admit to having a ransomware kitty
-
Nasuni targets fresh growth under revamped leadership teamNews The unified file data platform provider has announced a trio of executive hires as the firm looks to strengthen its standing in the enterprise AI era
-
AI PCs are paying dividends for HP as firm reports sales surgeNews HP has pinned recent revenue increases on Windows 11 and AI PC sales
-
Watch out for fake Zoom invites – hackers are abusing ConnectWise ScreenConnect to take over devicesNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
AI means cyber teams are rethinking their approach to insider threatsNews Nearly two-thirds of European cybersecurity professionals see insider threats as their biggest security risk – and AI is making things worse.
-
74% of companies admit insecure code caused a security breachNews A large number of data breaches are linked to insecure code, prompting calls for better training
-
Data I/O shuts down systems in wake of ransomware attackNews Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Cyber pros say the buck stops with the board when it comes to security failingsNews Fines, sanctions, and even prosecution are all on the table when it comes to cyber failings, practitioners believe
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
-
Employee distraction is now your biggest cybersecurity riskNews Workplace distraction is the top reason organizations fall victim to cyber attacks, according to new research.
