Microsoft Pinpoints Storm-0501 as Significant Menace in Hybrid Cloud Ransomware Incursions
Storm-0501, a threat actor, has been identified by Microsoft as a significant danger in the realm of hybrid cloud ransomware assaults, targeting various sectors within the U.S. such as government, manufacturing, transportation, and law enforcement.
In a campaign comprising multiple stages, the threat aims to infiltrate hybrid cloud environments, executing lateral movements from on-premises systems to cloud setups, leading to activities like data exfiltration, credential theft, tampering, persistent backdoor access, and the eventual deployment of ransomware, as outlined by Microsoft.
According to Microsoft’s threat intelligence team, “Storm-0501 represents a group of cybercriminals motivated by financial gains, utilizing common and open-source resources for carrying out ransomware operations.”
Having been active since 2021, Storm-0501 previously targeted educational institutions using the Sabbath (54bb47h) ransomware before transitioning into a ransomware-as-a-service (RaaS) affiliate, distributing various ransomware strains over time such as Hive, BlackCat (ALPHV), Hunters International, LockBit, and the Embargo ransomware.
One noteworthy aspect of Storm-0501’s assaults involves the utilization of feeble credentials and accounts with excessive privileges, facilitating the transition from on-premises infrastructures into cloud platforms.
Initial access methods also include leveraging existing footholds by access brokers like Storm-0249 and Storm-0900, or taking advantage of identified remote code execution vulnerabilities present in unpatched servers accessible over the internet such as Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016.
These methods pave the way for extensive reconnaissance operations to identify high-value assets, gather domain information, and conduct Active Directory scouting, followed by the deployment of remote monitoring and management tools (RMMs) like AnyDesk to ensure long-lasting persistence.
Microsoft reported, “The threat actor exploited administrator privileges on compromised local devices during the initial phase of access, attempting to expand access to more accounts within the network using various methods.”
“They predominantly employed Impacket’s SecretsDump module to extract credentials across the network, utilizing it on numerous devices to obtain credentials,” they further added.
The stolen credentials are then utilized to access additional devices and extract more credentials, with simultaneous access to sensitive files to extract KeePass secrets and launching brute-force attacks to gather credentials for specific accounts.
Microsoft noted the use of Cobalt Strike by Storm-0501 to navigate within the network using the compromised credentials and execute follow-up commands. Data exfiltration from on-premises environments is carried out through Rclone, transporting the data to the MegaSync public cloud storage service.
The threat actor has also established continuous backdoor access to cloud environments, deploying ransomware within on-premises setups, thereby becoming the latest threat actor focusing on hybrid cloud establishments after Octo Tempest and Manatee Tempest.
“By utilizing credentials stolen earlier in the attack, specifically Microsoft Entra ID (formerly Azure AD), the threat actor was able to transition from on-premises setups to the cloud environment, setting up persistent access to the target network through a backdoor,” Redmond stated.
The shift to the cloud is executed either through a compromised Microsoft Entra Connect Sync user account or via hijacking cloud sessions of on-premises user accounts linked to respective cloud admin accounts with disabled multi-factor authentication (MFA).
The culmination of the attack involves deploying Embargo ransomware across the victim organization, a Rust-based ransomware discovered for the first time in May 2024, after gaining sufficient control over the network, exfiltrating pertinent files, and moving laterally into the cloud. Embargo specializes in the double extortion strategy, wherein they encrypt the files and threaten exposure unless a ransom is paid.
Microsoft revealed, “Operating under the RaaS model, the ransomware group behind Embargo allows affiliates such as Storm-0501 to use its platform to launch attacks in exchange for a portion of the ransom.”
“Embargo affiliates engage in dual extortion practices, where they encrypt data and threaten leaks unless the demanded ransom is paid,” they further mentioned.
This unveiling coincides with DragonForce ransomware group’s operations targeting businesses in manufacturing, real estate, and transportation through a variant of the leaked LockBit3.0 builder and custom Conti version.
The group employs the SystemBC backdoor for persistence, Mimikatz and Cobalt Strike for credential harvesting, and Cobalt Strike for lateral traversal. More than 50% of the victims are from the U.S., followed by the U.K. and Australia.
“Adopting dual extortion tactics, the group encrypts data and threatens exposure unless a ransom is delivered,” stated Singapore-based Group-IB report. “The affiliate program initiated on June 26, 2024, offers 80% of the ransom to affiliates, along with attack management and automation tools.”
About Author
