The financially motivated threat actor tracked as Storm-0501 has shifted focus on targeting cloud environments for data theft and extortion, Microsoft warns.
Active since at least 2021, Storm-0501 is known for using various ransomware families in attacks against on-premise and hybrid cloud environments, including Sabbath, Alphv/BlackCat, Hive, Hunters International, LockBit, and Embargo.
Last year, the hacking group was seen compromising Active Directory environments, moving to Entra ID, escalating privileges to global administrator, implanting backdoors in Entra ID tenant configurations, and deploying on-premises ransomware for file encryption.
In a recent attack against a large enterprise, the threat actor used similar tactics: it compromised multiple Active Directory domains, performed reconnaissance to identify protected endpoints and evade detection, and moved laterally using the Evil-WinRM post-exploitation tool.
Storm-0501 then compromised an Entra Connect Sync server and impersonated the domain controller to request password hashes for domain users. It also enumerated users, roles, and Azure resources, and attempted to log in as several privileged users.
Unsuccessful in their login attempts, the hackers then traversed between Active Directory domains, compromised another Entra Connect server, identified a non-human synced identity that had global administrator privileges in Entra ID, and reset its password to access the account.
“Consequently, the threat actor was able to authenticate against Entra ID as that user using the new password. Since no MFA was registered to that user, after successfully authenticating using the newly assigned password, the threat actor was redirected to simply register a new MFA method under their control,” Microsoft explains.
After identifying a Microsoft Entra hybrid joined device, Storm-0501 was able to access the Azure portal as global admin, gaining full control over the cloud domain. It immediately deployed a backdoor allowing them to sign in as any user, by registering a new Entra ID tenant.
Armed with top-level Entra ID privileges, the hackers elevated their privileges to the Owner Azure role over all the victim’s Azure subscriptions, essentially taking over the entire Azure environment.
“We assess that the threat actor initiated a comprehensive discovery phase using various techniques, including the usage of the AzureHound tool, where they attempted to locate the organization’s critical assets, including data stores that contained sensitive information, and data store resources that are meant to back up on-premises and cloud endpoint devices,” Microsoft notes.
The attackers also targeted Azure Storage accounts, abusing the Azure Owner role to steal their access keys and then exposing accounts that were non-internet accessible to the web and their own infrastructure, and then used the AzCopy Command-line tool (CLI) for data exfiltration.
After stealing the data, the hackers initiated its mass-deletion to prevent remediation actions. They also attempted to erase protections preventing the deletion of some data, and leveraged cloud-based encryption for those resources that could not be erased.
“After successfully exfiltrating and destroying the data within the Azure environment, the threat actor initiated the extortion phase, where they contacted the victims using Microsoft Teams using one of the previously compromised users, demanding ransom,” Microsoft says.
The tech giant also points out that, after compromising the victim’s cloud environment, Storm-0501 relied on cloud-native commands and functionality to perform reconnaissance, lateral movement, credential exfiltration, privilege escalation, and data exfiltration, deletion, and encryption.
“Storm-0501 has continued to demonstrate proficiency in moving between on-premises and cloud environments, exemplifying how threat actors adapt as hybrid cloud adoption grows. They hunt for unmanaged devices and security gaps in hybrid cloud environments to evade detection and escalate cloud privileges and, in some cases, traverse tenants in multi-tenant setups to achieve their goals,” the company notes.
Related: Hundreds of Salesforce Customers Hit by Widespread Data Theft Campaign
Related: Groucho’s Wit, Cloud Complexity, and the Case for Consistent Security Policy
Related: ImageRunner Flaw Exposed Sensitive Information in Google CloudRelated:Multi-Cloud Networks Require Cloud-Native Protection
