Microsoft has uncovered a multi-stage cyberattack by the financially motivated group Storm-0501, targeting sectors in the U.S., including government, manufacturing, transportation, and law enforcement.
The attackers compromised hybrid cloud environments, stealing credentials, tampering with data, and deploying ransomware. Storm-0501, active since 2021, first gained attention for using the Sabbath ransomware against U.S. school districts.
The group later evolved into a ransomware-as-a-service (RaaS) affiliate, deploying ransomware variants like Hive, BlackCat, and the newer Embargo ransomware.
In its latest attacks, Storm-0501 exploited weak credentials and over-privileged accounts to move from on-premises systems to cloud environments, gaining persistent backdoor access. Microsoft reported that the group used several known vulnerabilities, including those in Zoho ManageEngine and Citrix NetScaler, to gain initial access.
The group then leveraged admin privileges to compromise further devices and collect sensitive data, using tools like Impacket and Cobalt Strike for lateral movement and to evade detection.
Storm-0501 also deployed open-source tools, such as Rclone, to exfiltrate data.
They masked these tools by renaming them to familiar Windows binary names. Their ability to exploit weak credentials and gain access to Microsoft Entra ID accounts enabled the group to establish persistent cloud access, further increasing the risk to organizations.
In response to these attacks, Microsoft highlighted the growing security challenges posed by hybrid cloud environments. The company stressed the need for organizations to adopt stronger security measures, including multi-factor authentication (MFA) and regular software updates to fix known vulnerabilities.
To help mitigate future attacks, Microsoft has enhanced its security protocols, particularly around Microsoft Entra ID, to prevent the abuse of Directory Synchronization Accounts.
Storm-0501's activities underscore the increasing sophistication of cyber threats and the urgent need for businesses to bolster their defenses across both on-premises and cloud infrastructures.
