Storm-0501 Ransomware Group Attacking Hybrid Cloud Environments

Ransomware groups are organized cybercriminal entities that deploy malicious software to encrypt victims’ data, demanding ransom payments for decryption keys.

The rise of ransomware groups has led to an increase in ransomware incidents globally, affecting various sectors and critical infrastructure.

Cybersecurity researchers at Microsoft recently discovered that the “Storm-0501” ransomware group has been actively attacking hybrid cloud environments.

Storm-0501 Attacking Cloud Environments

Storm-0501 is a ‘financially motivated’ threat group that has launched a sophisticated ‘multi-stage attack’ targeting “hybrid cloud environments” across various ‘U.S. sectors’ and ‘critical infrastructure.’

The group exploited vulnerabilities in “Zoho ManageEngine,” “Citrix NetScaler,” and “ColdFusion 2016,” to gain initial access to on-premises systems.

Then for the lateral movement and credential they used tools like “Impacket’s SecretsDump” and “Cobalt Strike.”

The attackers pivoted from “on-premises” to “cloud environments” by compromising “Microsoft Entra Connect Sync” accounts, which allows them to manipulate the “Microsoft Entra ID” (formerly Azure AD) identities.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

They exfiltrated data using ‘Rclone,’ which was disguised as ‘Windows binaries,’ and deployed multiple ransomware variants (“Hive,” “BlackCat,” and “LockBit.

The tactics of Storm-0501 highlight the growing security challenges in hybrid cloud setups, which highlights the need for robust defenses across both on-premises and cloud infrastructures, reads Microsoft advisory.

This group targets “accounts with disabled MFA and Global Administrator roles.”

The attackers use various techniques to create persistent backdoors and here below we have mentioned them:-

Password synchronization exploitation
Cloud session hijacking
Leveraging the AADInternals PowerShell module

They may convert managed domains to federated ones, manipulate SAML tokens, and bypass MFA.

In some cases, the threat actors deploy “Embargo ransomware,” it’s a Rust-based strain that makes use of advanced encryption and it’s distributed via Group “Policy Objects (GPOs)” and “scheduled tasks.”

The ransomware encrypts files, changes the extensions to “.partial,” “.564ba1,” or “.embargo,” and employs double extortion tactics.

Mitigations

Here below we have mentioned all the mitigations:-

Use the least privilege and audit privileged accounts.
Enable Conditional Access for device compliance and trusted IPs.
Restrict Entra ID sync accounts from untrusted IPs.
Use phishing-resistant authentication for critical apps.
Follow best practices for Active Directory Federation Services.
Refer to Azure AD security best practices.
Turn on Defender for Cloud Apps alerts.
Prevent bypassing Entra MFA when federated.
Block sign-ins to non-federated domains.
Enable Entra ID protection for risky sign-ins.
Use tamper protection to secure services.
Block unapproved IT tools with AppLocker.
Run EDR in block mode for extra protection.
Enable automated investigation in Defender.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.