Microsoft Threat Intelligence has detailed the evolving tactics of the financially motivated threat actor Storm-0501, which has transitioned from traditional on-premises ransomware deployments to sophisticated cloud-based operations.
Unlike conventional ransomware that relies on endpoint encryption malware and subsequent decryption key negotiations, Storm-0501 exploits cloud-native capabilities to exfiltrate massive data volumes, obliterate backups, and enforce ransom demands without malware.
This opportunistic actor, previously linked to Sabbath ransomware attacks on U.S. school districts in 2021 and healthcare targets in 2023, has adopted payloads like Embargo in 2024, expanding into hybrid cloud environments.
Shift to Cloud-Centric Ransomware Strategies
In a September 2024 blog, Microsoft highlighted how Storm-0501 compromises Active Directory to pivot into Microsoft Entra ID, escalating to global administrator privileges via malicious federated domains or on-premises encryption.
Recent campaigns demonstrate proficiency in navigating unmanaged devices and security gaps in multi-tenant setups, enabling tenant traversal and privilege escalation.
In a recent enterprise attack, Storm-0501 infiltrated a complex setup with interconnected Active Directory domains and fragmented Azure tenants, exploiting limited Microsoft Defender for Endpoint coverage that created visibility blind spots.
Post-compromise, with domain administrator access, the actor conducted reconnaissance using commands like ‘sc query sense’ and ‘sc query windefend’ to detect endpoint security, followed by lateral movement via Evil-WinRM for PowerShell-based remote execution and tools like quser.exe and net.exe for discovery.
In-Depth Analysis of Attack Chain
A DCSync attack impersonated domain controllers to extract password hashes, bypassing authentication alerts.
Pivoting to the cloud, the actor abused Entra Connect Sync servers to enumerate users and roles with AzureHound, targeting non-MFA-protected global administrator identities.
By resetting on-premises passwords synced via Password-Hash Synchronization (PHS), they authenticated to Entra ID, registered attacker-controlled MFA, and satisfied Conditional Access policies from hybrid-joined devices, achieving full tenant control.
Persistence was established through a backdoor via malicious federated domains, using AADInternals to forge SAML tokens for user impersonation.
In Azure, the actor elevated access with Microsoft.Authorization/elevateAccess/action to gain User Access Administrator roles, then assigned Owner roles via Microsoft.Authorization/roleAssignments/write for subscription dominance.
Discovery with AzureHound mapped critical assets like storage accounts, backups, and protections such as Azure policies, resource locks, and immutability policies.
For defense evasion, they enabled public access on storage accounts using Microsoft.Storage/storageAccounts/write, stole keys with Microsoft.Storage/storageAccounts/listkeys/action, and exfiltrated data via AzCopy CLI.
Impact involved mass deletions with operations like Microsoft.Compute/snapshots/delete for snapshots, Microsoft.Compute/restorePointCollections/delete for VM restore points, Microsoft.Storage/storageAccounts/delete for storage accounts, and Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/delete for recovery vaults.
To overcome locks and immutability, they invoked Microsoft.Authorization/locks/delete and Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete.
For resistant resources, cloud-based encryption used Microsoft.KeyVault/vaults/write to create vaults and Microsoft.Storage/storageAccounts/encryptionScopes/write for scopes, though Azure’s soft-delete feature mitigated permanent loss. Extortion followed via Microsoft Teams, demanding ransom after data destruction.
Microsoft recommends bolstering cloud identity protections, enforcing MFA, monitoring hybrid sync accounts, and deploying comprehensive Defender solutions to detect such pivots and escalations, emphasizing the need for unified visibility in hybrid environments to counter these adaptive threats.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
