Storm-0501 Hits Enterprise With 'Cloud-Based Ransomware' Attack

Source: Zute Lightfoot via Alamy Stock Photo

The march of progress continues, as a threat actor has now pulled off an attack described as "cloud-based ransomware."

Microsoft on Aug. 27 published research concerning Storm-0501, a ransomware actor that has been active since 2021. To date, the group has utilized a wide range of ransomware-as-a-service (RaaS) strains, including Embargo, Hunters International, Hive, BlackCat/ALPHV, and LockBit, among others. Last September, Microsoft published research detailing how the group changed its tactics from buying credentials to leveraging weak credentials in order to move laterally from on-premises to cloud environments.

This latest research offers a look into how Storm-0501 has further evolved its tactics, techniques, and procedures (TTPs). More specifically, the research describes a recent attack in which the "the threat actor achieved cloud-based ransomware impact through cloud privilege escalation, taking advantage of protection and visibility gaps across the compromised environment, and pivoting from on-premises to cloud pivots."

Cloud-Based Ransomware

According to Microsoft, Storm-0501 has shifted more to cloud-based attacks that take advantage of victim environments' native capabilities instead of malware, which allows attackers to rapidly exfiltrates huge amounts of data before destroying it and any backups.

Related:Silk Typhoon Attacks North American Orgs in the Cloud

In a recent attack, Microsoft said threat actor managed to compromise a large enterprise with multiple subsidiaries — each maintaining separate but interconnected Microsoft Azure cloud tenants with different security postures. Only one tenant had Microsoft Defender for Endpoint deployed, and as devices from multiple Active Directory domains were onboarded to this one tenant, the environment had significant visibility gaps.

Moreover, "Active Directory domains were synchronized to several Entra ID tenants using Entra Connect Sync servers," the blog post explained. "In some cases, a single domain was synced to more than one tenant, further complicating identity management and monitoring."

All of this is to say that the unnamed victim in this case had an inconsistent environment with major security holes, enabling Storm-0501 to move laterally across tenants and play cloud resources against each other for maximum damage.

Storm-0501 compromised multiple devices that weren't connected to Microsoft Defender and gained domain administrator privileges, done so deliberately by searching for unprotected devices as part of prior reconnaissance. The attacker then used a post-exploitation tool to gain remote code execution and lateral movement.

Related:DARPA: Closing the Open Source Security Gap With AI

Once they obtained on-premises compromise of the first tenant, they enumerated users, roles, and resources through the Entra Connect Sync Directory Synchronization Account (DSA). Storm-0501 then mapped relationships and permissions out with Azure tool AzureHound.

Though the group seemingly managed to obtain credentials as part of their compromise, they were unable to bypass or satisfy the multifactor authentication (MFA) challenge, and Storm-0501 pivoted to target a second tenant.

"Leveraging their foothold in the Active Directory environment, they traversed between Active Directory domains and eventually moved laterally to compromise a second Entra Connect server associated with different Entra ID tenant and Active Directory domain," the blog post read. "The threat actor extracted the Directory Synchronization Account to repeat the reconnaissance process, this time targeting identities and resources in the second tenant."

The actor found a non-human identity assigned to a Global Administrator role in Microsoft Entra ID on the second tenant with no MFA attached. This made it trivial for the threat actor to reset the password, establish a new MFA method, and satisfy the customer's Conditional Access policies configuration. Lastly, Storm-0501 moved laterally between connected devices before it found a hybrid joined device that could satisfy the last Conditional Access policy requirement.

Related:Defending Against Cloud Threats Across Multicloud Environments

These privileges gave them full control over the cloud domain, enabling them to establish additional persistence mechanisms such as a backdoor. Storm-0501 elevated its own access within the compromised customer's Azure stores, initiated a comprehensive discovery process, exfiltrated data, and mass-deleted Azure resources, which prevented "the victim from taking remediation and mitigation action by restoring the data."

As some resources couldn't be deleted, Storm performed "cloud-based encryption" by establishing a new Azure Key Vault and a new customer-managed key they could use as leverage against the victim. Though the attacker attempted to delete the key in order to make the data inaccessible, Microsoft noted that "Azure Key vaults and keys that are used for encryption purposes are protected by the Azure Key Vault soft-delete feature, with a default period of 90 days, which allows the user to retrieve the deleted key/vault from deletion, preventing cloud-based encryption for ransomware purposes."

Lastly, Storm-0501 contacted the victim via Microsoft Teams using a previously compromised user and demanded a ransom. Microsoft did not say whether the victim paid.

Defender Mitigations and Takeaways

Microsoft director of threat intelligence Sherrod DeGrippo tells Dark Reading that Storm-0501 is "particularly concerning" for organizations that keep important and sensitive environments on-premises.

"The impact goes beyond data loss. Storm-0501's campaigns can halt business operations, erase critical data, and expose organizations to extortion threats, regulatory penalties, and reputational damage," DeGrippo says. "This threat actor has rapid adaptation and sector-agnostic targeting. Storm-0501 has demonstrated the ability to quickly change tactics and target a wide range of sectors, meaning any organization using cloud services could be a target."

In order to help prevent something similar from happening to another organization, Microsoft in the blog post said it "recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync," which aims to prevent similar privilege escalations as that seen in the research.

For on-premises customers, Microsoft recommends organizations use tamper protection, run endpoint detection-and-response products in block mode, and turn on fully automated investigation and remediation where possible. For cloud identities, Microsoft recommends practicing the principle of least privilege, enabling sufficient conditional access policies, and ensuring MFA is enabled for all users.

A full list of detections and recommendations is available in the blog post.