The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
By leveraging cloud-native capabilities, analysis from the tech giant shows Storm-0501 exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom — all at speed and without relying on traditional malware deployment.
This time last year, Microsoft warned that Storm-0501 had extended its on-premises ransomware operations into hybrid cloud environments.
The group has shown to have compromised Active Directory environments before pivoting to Microsoft Entra ID, escalating privileges on hybrid and cloud identities to gain global administrator privileges.
"Storm-0501 has continued to demonstrate proficiency in moving between on-premises and cloud environments, exemplifying how threat actors adapt as hybrid cloud adoption grows," said the Microsoft Threat Intelligence team.
"They hunt for unmanaged devices and security gaps in hybrid cloud environments to evade detection and escalate cloud privileges and, in some cases, traverse tenants in multi-tenant setups to achieve their goals."
How Storm-0501 operates
Microsoft gives the example of one recent campaign in which Storm-0501 compromised a large enterprise composed of multiple subsidiaries. Each operated its own Active Directory domain, all interconnected through domain trust relationships and enabling cross-domain authentication and resource access.
However, only one tenant had Microsoft Defender for Endpoint deployed, and devices from multiple Active Directory domains were onboarded to this single tenant’s license, creating visibility gaps across the environment.
Storm-0501 checked for the presence of Defender for Endpoint services, suggesting a deliberate effort to avoid detection by targeting non-onboarded systems, Microsoft said.
Lateral movement was facilitated using Evil-WinRM, a post-exploitation tool that utilizes PowerShell over Windows Remote Management (WinRM) for remote code execution.
Commands were executed over sessions initiated with Evil-WinRM, as well as discovery using other common native Windows tools and commands such as quser.exe and net.exe.
Earlier in the attack, Storm-0501 had compromised an Entra Connect Sync server that was not onboarded to Defender for Endpoint - and which Microsoft reckons was used as a pivot point, with the group establishing a tunnel to move laterally within the network.
It also carried out a DCSync attack, abusing the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller - allowing it to request password hashes for any user in the domain, including privileged accounts.
It then pivoted to the cloud, leveraging the Entra Connect Sync Directory Synchronization Account (DSA) to enumerate users, roles, and Azure resources within the tenant using AzureHound.
"Shortly thereafter, the threat actor attempted to sign in as several privileged users. These attempts were unsuccessful, blocked by Conditional Access policies and multi-factor authentication (MFA) requirements," said the team.
"This suggests that while Storm-0501 had valid credentials, they lacked the necessary second factor or were unable to satisfy policy conditions."
In response, Storm-0501 shifted tactics, traversing between Active Directory domains and eventually moving laterally to compromise a second Entra Connect server and identify an admin identity that didn't have MFA enabled - allowing it to assign a new password.
"From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain," researchers said.
"The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- MSPs beware – these two ransomware groups are ramping up attacks and have claimed hundreds of victims
- Malware as a service explained: What it is and why businesses should take note
- Nearly half of MSPs admit to having a ransomware kitty
-
AWS rolls out new 'business continuity' features in wake of October outageNews The US-EAST-1 Region gets an extra tool to help customers during an outage
-
Asahi reveals 1.5 million customers impacted in cyber attackNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposed
News No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Logitech says zero-day attack saw hackers copy 'certain data' from internal IT systemsNews The incident is believed to have formed part of a campaign by the Clop extortion group that targeted customers of Oracle’s E-Business Suite
