A financially motivated threat actor known as Storm-0501 has been observed to improve tactics for carrying out data delamination and tor attacks targeting cloud environments.
“Unlike traditional on-premises ransomware, threat actors usually deploy malware to encrypt critical files across endpoints within the compromised network and negotiate with decryption keys. Cloud-based ransomware brings about fundamental changes.”
“Learning on cloud-native capabilities, Storm-0501 rapidly removes large amounts of data, destroys data and backups within the victim environment, and demands ransom.
Storm-0501 was first documented by Microsoft almost a year ago and details hybrid cloud ransomware attacks targeting the US government, manufacturing, transportation, and law enforcement sectors, with on-premises to cloud threat targets pivoting into the cloud for subsequent data removal, qualification theft, and ransomware deployment.
Raised as active since 2021, hacking groups have evolved into Ransomware as a Service (RAAS) affiliate marketing over the years, including Sabbath, Hive, Black Cat (Alphv), Hunter International, Rockbit and Empargo.
“The Storm-0501 continues to demonstrate proficiency in moving between on-premises and cloud environments, exemplifying how threat actors adapt as hybrid cloud adoption grows,” the company said. “They look for security gaps with devices that are not managed in hybrid cloud environments, avoid detection, escalate cloud privileges, and in some cases cross tenants with multi-tenant setups to achieve their goals.”
A typical attack chain involves on-premises lateral movement and reconnaissance steps that allow initial access to achieve privilege escalation to domain administrators, followed by on-premises lateral movement and reconnaissance steps that allow attackers to violate the target cloud environment and initiate a multi-stage sequence that includes persistence, capacity escalation, data, ejection, and absorption.
Initial access per Microsoft is achieved through intrusions facilitated by access brokers such as Storm-0249 and Storm-0900, which can use stolen, compromised credentials to sign in to the target system, or exploit various known code execution vulnerabilities.
In a recent campaign targeting unnamed large companies with multiple subsidiaries, Storm-0501 reportedly conducted reconnaissance before moving the network laterally using Evil-WinRM. The attacker also extracted the credentials from Active Directory by performing what is called a DCSYNC attack to simulate the behavior of the domain controller.
“We leveraged scaffolding in an active directory environment to traverse between Active Directory domains and eventually move laterally, breaching a second Entra Connect server associated with a different ENTRA ID tenant and an Active Directory domain,” Microsoft said.
“The threat actors repeated the reconnaissance process by extracting the directory sync account. This time they targeted the identity and resources of the second tenant.”
These efforts ultimately result in Storm-0501 identifying the global administrator role and non-human synchronized identity in its tenant’s Microsoft Entra ID, lacking multifactorial authentication (MFA) protection. This opened the door to a scenario where an attacker resets a user’s on-premises password and syncs it to that user’s cloud ID using the ENTRA Connect Sync service.
A digital intruder armed with compromised global management accounts will access the Azure portal, register the threat actor-owned Entra Identity Tenants as a trusted federation domain, create a backdoor, and then increase access to critical Azure resources before setting up a data delamination and extension phase.
“After completing the Exftration phase, Storm-0501 began demassing Azure resources containing victim organization data, ensuring that victims do not take any improvements or mitigation measures by restoring the data,” Microsoft said.
“After excluding and destroying data in your Azure environment, the threat actor began the Fear Tor stage, using one of the previously compromised users to contact the victim using a Microsoft team and requesting ransom.”
The company said it has enacted a change to its Microsoft Entra ID. He said this prevents threat actors from escalating privileges by abusing directory sync accounts. We also released an update for Microsoft Entra Connect (version 2.5.3.0) to support the latest authentication, allowing customers to configure application-based authentication for enhanced security.
“It is also important to enable Trusted Platform Modules (TPMs) on Entra Connect Sync Server to securely store sensitive credentials and encryption keys, and to mitigate the Storm-0501 certification extraction technology,” added Tech Giant.
Source link
