Storm-0501 Threatens Hybrid Cloud Security with Ransomware Attacks

The financially motivated cybercriminal group known as Storm-0501 is targeting U.S. industries, including government, manufacturing, transportation, and law enforcement, through ransomware attacks on hybrid cloud environments. Microsoft has detailed how this group’s multi-stage attack campaigns compromise on-premises systems, steal credentials, and then move to cloud environments, resulting in data theft and ransomware deployment.

Gaining Access and Reconnaissance

Storm-0501 has been active since 2021, targeting educational institutions with the Sabbath ransomware. The group gradually transitioned into a ransomware-as-a-service (RaaS) affiliate, working with different strains like Hive, BlackCat, and Embargo. To gain access to their targets, they exploit weak credentials and over-privileged accounts, a practice that allows them to penetrate an organization’s on-premises systems before pivoting to the cloud. Storm-0501 also capitalizes on vulnerabilities in commonly used software such as Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion, utilizing the gaps to breach servers that are not regularly updated or patched. Once inside, they conduct research to find valuable data and other high-priority network assets. They deploy remote monitoring and management tools (RMMs) like AnyDesk to maintain persistence and wade through the network. They sometimes use the open-source tool Impacket (its SecretsDump module), to gain credentials from devices across the network, allowing them to escalate and spread.

Credential Theft and Movement to Cloud

A main feature of Storm-0501’s method is their use of credential theft. They use the stolen credentials to access more devices, conduct brute-force attacks, and gather sensitive files and password manager secrets, such as those stored in KeePass. This allows them to expand their access to an organization’s systems, including those that hold sensitive information. Storm-0501’s operations are more than on-premises environments, as they also look to access and control hybrid cloud systems. They have two main strategies for this:

  1. The attackers compromise Microsoft Entra Connect Sync accounts, which are responsible for synchronizing identity data between on-premises systems and Microsoft Entra ID (formerly Azure AD). This compromise allows them to set up a backdoor for sustained access to cloud resources.
  2. Storm-0501 also carries out cloud session hijacking by identifying on-premises user accounts that have cloud-based admin privileges. If these accounts lack multi-factor authentication (MFA), the attackers use this vulnerability to infiltrate the cloud environment, either through shared passwords or by tampering with sync processes.

Persistent Access and Ransomware Deployment

Once they achieve a sufficient level of control, Storm-0501 maintains access to the cloud and deploys the Embargo strain ransomware to encrypt files across the organization. Embargo, a Rust-based ransomware identified in May 2024, follows a RaaS model, allowing Storm-0501 to share a portion of the ransom with the ransomware creators. This strain employs a double-extortion tactic: it encrypts the victim’s files and also threatens to leak the stolen data unless the ransom is paid. In the process of moving from on-premises to cloud environments, Storm-0501 also takes advantage of weak security measures, such as disabled MFA and over-permissioned global administrator roles. This allows them to create backdoors by converting managed domains to federated ones, manipulating SAML tokens, and avoiding standard security protocols.

Mitigation and Defense Recommendations

Organizations are advised to implement multiple security measures to counter the techniques used by Storm-0501. These include:

  • Enforcing strong credential policies and limiting account privileges.
  • Enabling Conditional Access policies for high-risk accounts.
  • Ensuring MFA is enabled for all cloud and admin accounts to reduce unauthorized access risks.
  • Monitoring on-premises and cloud activity for any unusual behavior, such as logins from unrecognized IP addresses or devices.

Organizations are encouraged to review and update their security protocols, applying patches and adopting best practices for both on-premises and cloud systems to minimize vulnerabilities.

Image credit: kunakorn, AdobeStock

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has focus on data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone
Twitter