The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
By leveraging cloud-native capabilities, analysis from the tech giant shows Storm-0501 exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom — all at speed and without relying on traditional malware deployment.
This time last year, Microsoft warned that Storm-0501 had extended its on-premises ransomware operations into hybrid cloud environments.
The group has shown to have compromised Active Directory environments before pivoting to Microsoft Entra ID, escalating privileges on hybrid and cloud identities to gain global administrator privileges.
“Storm-0501 has continued to demonstrate proficiency in moving between on-premises and cloud environments, exemplifying how threat actors adapt as hybrid cloud adoption grows,” said the Microsoft Threat Intelligence team.
“They hunt for unmanaged devices and security gaps in hybrid cloud environments to evade detection and escalate cloud privileges and, in some cases, traverse tenants in multi-tenant setups to achieve their goals.”
How Storm-0501 operates
Microsoft gives the example of one recent campaign in which Storm-0501 compromised a large enterprise composed of multiple subsidiaries. Each operated its own Active Directory domain, all interconnected through domain trust relationships and enabling cross-domain authentication and resource access.
However, only one tenant had Microsoft Defender for Endpoint deployed, and devices from multiple Active Directory domains were onboarded to this single tenant’s license, creating visibility gaps across the environment.
Storm-0501 checked for the presence of Defender for Endpoint services, suggesting a deliberate effort to avoid detection by targeting non-onboarded systems, Microsoft said.
Lateral movement was facilitated using Evil-WinRM, a post-exploitation tool that utilizes PowerShell over Windows Remote Management (WinRM) for remote code execution.
Commands were executed over sessions initiated with Evil-WinRM, as well as discovery using other common native Windows tools and commands such as quser.exe and net.exe.
Earlier in the attack, Storm-0501 had compromised an Entra Connect Sync server that was not onboarded to Defender for Endpoint – and which Microsoft reckons was used as a pivot point, with the group establishing a tunnel to move laterally within the network.
It also carried out a DCSync attack, abusing the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller – allowing it to request password hashes for any user in the domain, including privileged accounts.
It then pivoted to the cloud, leveraging the Entra Connect Sync Directory Synchronization Account (DSA) to enumerate users, roles, and Azure resources within the tenant using AzureHound.
“Shortly thereafter, the threat actor attempted to sign in as several privileged users. These attempts were unsuccessful, blocked by Conditional Access policies and multi-factor authentication (MFA) requirements,” said the team.
“This suggests that while Storm-0501 had valid credentials, they lacked the necessary second factor or were unable to satisfy policy conditions.”
In response, Storm-0501 shifted tactics, traversing between Active Directory domains and eventually moving laterally to compromise a second Entra Connect server and identify an admin identity that didn’t have MFA enabled – allowing it to assign a new password.
“From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain,” researchers said.
“The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
