Microsoft has issued a warning regarding the ransomware group Storm-0501, a financially motivated threat group that has shifted its tactics to target hybrid cloud environments in various US sectors and critical infrastructure.
Description
Storm-0501 exploits vulnerabilities in Zoho ManageEngine [3], Citrix NetScaler [3], and ColdFusion 2016 for initial access [3], utilizing tools like Impacket’s SecretsDump and Cobalt Strike for lateral movement and credential theft [3]. The group targets vulnerable organizations [2], such as schools, hospitals [2], and law enforcement in the US [2], operating as affiliates of various ransomware-as-a-service strains [2]. They have recently focused on exploiting hybrid cloud environments with weak passwords and overprivileged accounts [2], successfully targeting Entra ID credentials [2]. By compromising Microsoft Entra Connect Sync servers [1] [3], they extract plain text credentials and hijack Domain Admin accounts with corresponding Microsoft Entra ID accounts, especially if multifactor authentication is disabled [1]. Even with MFA enabled [1], attackers can compromise accounts by tampering with MFA or gaining control of a user’s device [1]. Once access is gained [1], attackers create a persisting backdoor by establishing a federation trust between compromised and attacker-controlled tenants [1], enabling impersonation of any user in the organization and bypassing MFA [1]. Storm-0501 uses compromised credentials to access Microsoft Entra ID [2], allowing them to tamper with data [2], set up backdoor access [2], and deploy ransomware [2]. The cybercriminals leverage compromised Domain Admin accounts to distribute ransomware across the organization [2]. To secure against such attacks [2], organizations should move towards a zero-trust framework [2], centralize endpoint device management [2], and prioritize identity and access management [2], least privilege principles [2], and timely patching of systems [2]. Mitigation and protection guidance [1], detection methods [1], hunting queries [1], and indicators of compromise are provided for defense against these attacks [1].
Conclusion
The impact of Storm-0501’s tactics on hybrid cloud environments is significant, highlighting the need for organizations to enhance their cybersecurity measures. By implementing the recommended security practices and staying vigilant against potential threats, organizations can better protect themselves from ransomware attacks and safeguard their critical data and infrastructure.
References
[1] https://www.helpnetsecurity.com/2024/09/30/ransomware-cloud-compromise/
[2] https://www.darkreading.com/application-security/sloppy-entra-id-credentials-hybrid-cloud-ransomware
[3] https://cybersecuritynews.com/storm-0501-hybrid-cloud-attacks/