Storm-0501 Ransomware Group Targeting Hybrid Cloud Environments

Ransomware groups are structured cybercriminal organizations that use malicious software to encrypt victims’ data and demand ransom payments in exchange for decryption keys. The proliferation of these groups has contributed to a surge in ransomware incidents worldwide, impacting multiple sectors and critical infrastructure. Recently, cybersecurity researchers at Microsoft identified that the “Storm-0501” ransomware group has been targeting hybrid cloud environments.

Storm-0501 Targets Cloud Environments

The Storm-0501 threat group, driven by financial motives, has executed a complex multi-stage attack on hybrid cloud environments across various sectors and critical infrastructure in the U.S. They exploited vulnerabilities in platforms such as Zoho ManageEngine, Citrix NetScaler, and ColdFusion 2016 to gain initial access to on-premises systems.

For lateral movement and credential harvesting, the group utilized tools like Impacket’s SecretsDump and Cobalt Strike. They further transitioned from on-premises systems to cloud environments by compromising Microsoft Entra Connect Sync accounts, allowing manipulation of Microsoft Entra ID (formerly Azure AD) identities.

Data exfiltration was carried out using Rclone, disguised as Windows binaries, while multiple ransomware variants, including Hive, BlackCat, and LockBit, were deployed. Microsoft’s advisory highlights the increasing security challenges in hybrid cloud setups, emphasizing the necessity for robust defenses across both on-premises and cloud infrastructures.

Storm-0501 specifically targets accounts with disabled multi-factor authentication (MFA) and Global Administrator roles. They employ various techniques to establish persistent backdoors, including:

  • Exploiting password synchronization
  • Hijacking cloud sessions
  • Utilizing the AADInternals PowerShell module

Additionally, the group may convert managed domains to federated ones, manipulate SAML tokens, and bypass MFA. In certain instances, they deploy Embargo ransomware, a Rust-based strain that utilizes advanced encryption, distributed via Group Policy Objects (GPOs) and scheduled tasks. This ransomware encrypts files, changes their extensions to .partial, .564ba1, or .embargo, and employs double extortion tactics.

Mitigations

  • Implement the principle of least privilege and conduct audits of privileged accounts.
  • Activate Conditional Access for compliant devices and trusted IP addresses.
  • Limit Entra ID synchronization accounts from untrusted IP addresses.
  • Utilize phishing-resistant authentication for essential applications.
  • Adhere to best practices for Active Directory Federation Services.
  • Consult Azure AD security best practices.
  • Activate Defender for Cloud Apps alerts.
  • Prevent bypassing Entra MFA in federated environments.
  • Restrict sign-ins to non-federated domains.
  • Enable Entra ID protection for high-risk sign-ins.
  • Use tamper protection to safeguard services.
  • Prohibit the use of unapproved IT tools via AppLocker.
  • Operate EDR in block mode for enhanced security.
  • Enable automated investigations in Defender.

Share this post :