Microsoft has recently issued a warning about a significant shift in tactics by the ransomware group Storm-0501. This cybercriminal organization, first identified in 2021, has now turned its attention to hybrid cloud environments, posing a new threat to businesses and organizations worldwide.
Evolution of Storm-0501’s Malicious Activities
Initially associated with the Sabbath ransomware, Storm-0501 has expanded its operations over time. The group has collaborated with various ransomware outfits, including Hive, BlackCat, LockBit, and Hunters International. In a recent development, Microsoft security experts have observed Storm-0501 deploying a Rust-based ransomware called Embargo.
The group’s latest attacks have targeted a diverse range of entities, including hospitals, government institutions, manufacturing and logistics companies, and U.S. law enforcement agencies. This broad spectrum of targets underscores the versatility and ambition of Storm-0501’s operations.
Sophisticated Attack Methodology
Initial Access and Lateral Movement
Storm-0501 gains access to victims’ cloud environments by exploiting weak credentials and known vulnerabilities. The group often acquires compromised credentials from the dark web or other cybercriminals. Recent attacks have leveraged vulnerabilities in popular software such as Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion 2016 (CVE-2023-29300 and CVE-2023-38203).
For lateral movement within compromised networks, the group employs frameworks like Impacket and Cobalt Strike. They disable security mechanisms using PowerShell commands and exfiltrate data using a custom Rclone binary disguised as legitimate Windows tools.
Hybrid Cloud Exploitation
A key aspect of Storm-0501’s new strategy involves moving from on-premises environments to cloud infrastructures. The group accomplishes this by compromising Microsoft Entra ID (formerly Azure AD) accounts, particularly targeting synchronization accounts and hijacking sessions to establish persistence.
By gaining access to Directory Synchronization Accounts, the attackers can utilize specialized tools like AADInternals to modify cloud passwords, effectively bypassing additional security measures. If a domain administrator or other high-privilege account exists both on-premises and in the cloud without proper protection (such as multi-factor authentication), the hackers can use the same credentials to access cloud resources.
Persistent Access and Data Exfiltration
Once Storm-0501 gains access to the cloud infrastructure, they establish a persistent backdoor by creating a new federated domain within the Microsoft Entra tenant. This allows them to authenticate as any user for which the Immutableid property is known or set.
In the final stage of their attacks, the group either deploys the Embargo ransomware in both local and cloud environments or reserves the obtained backdoor access for future exploitation. This flexibility in their approach makes Storm-0501 a particularly dangerous threat to organizations with hybrid cloud setups.
The emergence of Storm-0501’s new tactics highlights the evolving nature of cyber threats in the age of cloud computing. Organizations must prioritize robust security measures, including strong authentication protocols, regular vulnerability assessments, and comprehensive monitoring of both on-premises and cloud environments. As ransomware groups continue to adapt their strategies, maintaining a proactive and multi-layered approach to cybersecurity is more crucial than ever.