The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
By leveraging cloud-native capabilities, analysis from the tech giant shows Storm-0501 exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom — all at speed and without relying on traditional malware deployment.
This time last year, Microsoft warned that Storm-0501 had extended its on-premises ransomware operations into hybrid cloud environments.
The group has shown to have compromised Active Directory environments before pivoting to Microsoft Entra ID, escalating privileges on hybrid and cloud identities to gain global administrator privileges.
"Storm-0501 has continued to demonstrate proficiency in moving between on-premises and cloud environments, exemplifying how threat actors adapt as hybrid cloud adoption grows," said the Microsoft Threat Intelligence team.
"They hunt for unmanaged devices and security gaps in hybrid cloud environments to evade detection and escalate cloud privileges and, in some cases, traverse tenants in multi-tenant setups to achieve their goals."
How Storm-0501 operates
Microsoft gives the example of one recent campaign in which Storm-0501 compromised a large enterprise composed of multiple subsidiaries. Each operated its own Active Directory domain, all interconnected through domain trust relationships and enabling cross-domain authentication and resource access.
However, only one tenant had Microsoft Defender for Endpoint deployed, and devices from multiple Active Directory domains were onboarded to this single tenant’s license, creating visibility gaps across the environment.
Storm-0501 checked for the presence of Defender for Endpoint services, suggesting a deliberate effort to avoid detection by targeting non-onboarded systems, Microsoft said.
Lateral movement was facilitated using Evil-WinRM, a post-exploitation tool that utilizes PowerShell over Windows Remote Management (WinRM) for remote code execution.
Commands were executed over sessions initiated with Evil-WinRM, as well as discovery using other common native Windows tools and commands such as quser.exe and net.exe.
Earlier in the attack, Storm-0501 had compromised an Entra Connect Sync server that was not onboarded to Defender for Endpoint - and which Microsoft reckons was used as a pivot point, with the group establishing a tunnel to move laterally within the network.
It also carried out a DCSync attack, abusing the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller - allowing it to request password hashes for any user in the domain, including privileged accounts.
It then pivoted to the cloud, leveraging the Entra Connect Sync Directory Synchronization Account (DSA) to enumerate users, roles, and Azure resources within the tenant using AzureHound.
"Shortly thereafter, the threat actor attempted to sign in as several privileged users. These attempts were unsuccessful, blocked by Conditional Access policies and multi-factor authentication (MFA) requirements," said the team.
"This suggests that while Storm-0501 had valid credentials, they lacked the necessary second factor or were unable to satisfy policy conditions."
In response, Storm-0501 shifted tactics, traversing between Active Directory domains and eventually moving laterally to compromise a second Entra Connect server and identify an admin identity that didn't have MFA enabled - allowing it to assign a new password.
"From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain," researchers said.
"The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- MSPs beware – these two ransomware groups are ramping up attacks and have claimed hundreds of victims
- Malware as a service explained: What it is and why businesses should take note
- Nearly half of MSPs admit to having a ransomware kitty
-
Researchers sound alarm over AI hardware vulnerabilities that expose training dataNews Hackers can abuse flaws in AI accelerators to break AI privacy – and a reliable fix could be years away
-
Are AI PCs becoming the norm?ITPro Podcast As manufacturers increasingly embed NPUs in devices, what are the benefits to businesses?
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber skills shortages are pushing firms into dangerous shortcuts – and it’s putting them at huge risk of security breachesNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
-
Pentesters are now a CISOs best friend as critical vulnerabilities skyrocketNews Attack surfaces are expanding rapidly, but pentesters are here to save the day
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Generative AI attacks are accelerating at an alarming rateNews Two new reports from Gartner highlight the new AI-related pressures companies face, and the tools they are using to counter them
