The malevolent entity known as Storm-0501 has focused on government, manufacturing, transportation, and law enforcement fields in the U.S. for executing ransomware assaults.
The complex assault strategy is created to infiltrate hybrid cloud environments and conduct side-to-side movement from on-premises to cloud setting, ultimately leading to data theft, authorization theft, manipulation, continual hidden access, and ransomware release, as per Microsoft’s statement.
“Storm-0501 is a financially driven cybercriminal crew that utilizes everyday and free-to-use tools to conduct ransomware operations,” stated by the tech giant’s threat analysis team.
In operation since 2021, the malevolent actor has a track record of attacking educational organizations with Sabbath (54bb47h) ransomware before progressing into a ransomware-as-a-service (RaaS) partner providing various ransomware payloads over the years, such as Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.
An interesting facet of Storm-0501’s attacks is the utilization of feeble credentials and overly empowered accounts to transition from organizations’ on-premises to cloud structure.
Alternative initial infiltration methods comprise exploiting a foothold already established by entry sellers like Storm-0249 and Storm-0900, or exploiting diverse identified remote code execution vulnerabilities in unpatched outward-facing servers such as Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016.
Access granted by any of the above approaches lays the groundwork for in-depth exploration to identify high-value resources, gather domain data, and carry out Active Directory reconnaissance. Subsequently, remote monitoring and management tools (RMMs) like AnyDesk are set up to maintain continuity.
“The malevolent entity capitalized on administrator privileges on the local gadgets it breached during initial entry and endeavored to access more accounts within the network via various techniques,” stated Microsoft.
“The malevolent entity chiefly employed Impacket’s SecretsDump module, which removes credentials over the network, and utilized it across numerous gadgets to obtain credentials.”
The compromised credentials are then used to access even more gadgets and extract additional credentials, with the threat actor concurrently accessing sensitive files to extract KeePass secrets and engaging in brute-force attacks to acquire credentials for particular accounts.
Microsoft reported detecting Storm-0501 utilizing Cobalt Strike to horizontally advance across the network using the acquired credentials and dispatch follow-up commands. Data removal from the on-premises environment is performed using Rclone to move the data to the MegaSync public cloud storage service.
The threat actor has also been seen creating long-lasting hidden access to the cloud environment and implementing ransomware to the on-premises, marking it as the most recent malevolent entity aiming at hybrid cloud configurations after Octo Tempest and Manatee Tempest.
“The malevolent entity utilized the credentials, particularly Microsoft Entra ID (formerly Azure AD), pilfered earlier in the assault to laterally move from the on-premises to the cloud environ and create sustained access to the target network through a hidden entry point,” Redmond revealed.
The transition to the cloud is believed to be achieved either through an infiltrated Microsoft Entra Connect Sync user account or via cloud session hijacking of an on-premises user account with a corresponding admin account in the cloud having multi-factor authentication (MFA) disabled.
The operation concludes with the deployment of Embargo ransomware throughout the affected organization upon obtaining adequate control over the network, extracting files of interest, and transferring laterally to the cloud. Embargo is a Rust-based ransomware first detected in May 2024.
“Working under the RaaS paradigm, the ransomware group behind Embargo permits affiliates like Storm-0501 to utilize its platform to launch assaults in return for a portion of the ransom,” Microsoft expressed.
“Embargo associates adopt dual extortion strategies, first encrypting a victim’s files and threatening to expose pilfered sensitive data unless a ransom is paid.”
This revelation comes as the DragonForce ransomware group has been targeting companies in manufacturing, real estate, and transportation sectors using a variant of the leaked LockBit3.0 builder and a modified version of Conti.
The assaults are noted for utilizing the SystemBC backdoor for continuity, Mimikatz and Cobalt Strike for credential seizure, and Cobalt Strike for side-to-side movement. The U.S. accounts for over half of the overall victims, followed by the U.K. and Australia.
“The gang practices dual extortion tactics, encrypting data and threatening to leak it unless a ransom is paid,” Group-IB, headquartered in Singapore, mentioned. “The partnership program, commenced on 26 June 2024, offers 80% of the ransom to partners along with tools for attack management and automation.”
About Author
