The threat actor group known as Storm-0501 has recently updated its methods to focus on data exfiltration and extortion within cloud environments. In a shift from traditional ransomware attacks that encrypt files on local networks, Storm-0501 employs cloud-native techniques to swiftly exfiltrate data, eradicate backups, and demand ransom without relying on typical malware strategies.
First identified by Microsoft approximately a year ago, Storm-0501 has targeted sectors including government, manufacturing, transport, and law enforcement across the U.S. This group has transitioned from on-premises systems to cloud-focused operations for stealing data, credential theft, and deploying ransomware. Active since 2021, Storm-0501 functions as a ransomware-as-a-service (RaaS) affiliate, distributing various ransomware types, including Sabbath, Hive, and BlackCat.
Microsoft noted that Storm-0501 has adeptly maneuvered between hybrid cloud and on-premises environments, hunting for unmanaged devices and exploiting security vulnerabilities to evade detection and escalate their privileges. Their typical attack strategy involves gaining initial access, escalating privileges to domain admin level, and breaching cloud environments through lateral movement.
Microsoft highlights that initial access often results from intrusion facilitated by access brokers that exploit compromised credentials or known vulnerabilities in unpatched servers. In one recent campaign against a large organization, Storm-0501 conducted reconnaissance and utilized tools like Evil-WinRM to move across networks and execute a DCSync attack to extract credentials from Active Directory.
After compromising a second Entra Connect server linked to a different Entra ID tenant, attackers reset a user’s on-premises password, which allowed the synced credentials to be altered in the cloud. With access to a global admin account for Microsoft Entra ID, Storm-0501 registered a backdoor and heightened privileges to critical Azure resources, setting the stage for effective data exfiltration and extortion.
Following the data theft, Storm-0501 deleted Azure resources containing sensitive data to prevent recovery actions by the victim organization. They later approached the victims through Microsoft Teams, using a compromised user account to demand ransom.
In response to these threats, Microsoft has made adjustments to its Entra ID configurations to hinder abuses involving Directory Synchronization Accounts. They have also rolled out updates to Microsoft Entra Connect to enhance security by supporting modern authentication methods and are advising customers to enable Trusted Platform Module (TPM) on Entra Connect Sync servers to safeguard sensitive credentials against such extraction techniques.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.