In a recent security advisory, Microsoft advised that the ransomware threat actor Storm-0501 has recently switched tactics, targeting hybrid cloud environments now to compromise the entire system of victimization. It is becoming increasingly apparent that cybercriminals are finding out how difficult it is to secure hybrid cloud environments. 

In the latest case, an extremely cruel group called Storm-0501 has stepped forward in an attempt to steal from the most vulnerable organizations in the US, including schools, hospitals, and law enforcement. The group is known for its cash-grab operations. As an affiliate of different strains of ransomware as a service (RaaS), Storm-0501 has been around since 2021, as per Microsoft Threat Intelligence's new report on it.

This ransomware operates as affiliates of a variety of RaaS strains such as BlackCat/ALPHV, LockBit, and Embargo, among others. The Storm-0501 ransomware gang is well-known for its operations in on-premise networks, but now the group is focusing on extending its reach to cloud infrastructures as they look to compromise whole networks with their campaigns. 

Since Storm-0501 was first discovered in 2021, it has been associated with the Sabbath ransomware group as an affiliate. There are several notable ransomware groups, such as Hive, BlackCat, LockBit, and Hunters International, that have been involved in these operations from time to time, but it has been growing rapidly. 

There have been recent reports that the group has been using Embargo ransomware as a means of executing their operations. As a result of the group's broad range of targets within the United States, the group has selected a wide array of sectors for its attacks, including hospitals, government agencies, manufacturing companies, transportation companies, and law enforcement agencies. 

As part of their attack pattern, the group usually exploits weak credentials and privileged accounts, enabling them to steal sensitive information from compromised networks and to deploy ransomware to guarantee their success. Earlier this week, Microsoft team members shared information about a recent attack on Microsoft Entra ID (formerly Azure AD) that was performed by Storm-0501 threat actors. 

The credential-synching component of this on-premises Microsoft application is responsible for synchronizing the passwords and other sensitive data between the objects in Active Directory and Entra ID, assuming the credentials of the user are the same for both on-premises and cloud environments. This report warns that once Storm-0501 was able to migrate into the cloud at a later point in time, it was then capable of manipulating, exfiltrating, and setting up persistent backdoors to commit ransomware attacks. 

As a result of exploiting weak usernames and passwords, the attacker gains access to cloud environments via privileged accounts, which sets out to steal data as well as execute a ransomware payload on the target machine. It is Microsoft's position that the Storm-0501 is obtaining initial access to the network by stealing or buying credentials for access, or by exploiting known vulnerabilities that have already been discovered. 

It is worth noting that CVE-2022-47966 has been used in recent attacks against Zoho ManageEngine, CVE-2023-4966 has been used against Citrix NetScaler, and CVE-2023-29300 or CVE-2023-38203 may have been used against ColdFusion 2016. As the adversary moves laterally, it uses frameworks like Impacket and Cobalt Strike, steals data through Rclone binaries renamed to mimic known Windows tools, and disables security agents using PowerShell command-line functions. 

Storm-0501 is malware that has been designed to exploit stolen Microsoft Entra ID credentials (formerly known as Azure AD credentials) to move from on-premise to cloud environments, compromise synchronization accounts for persistence, and hijack sessions for recurrence. Using a Microsoft Entra Connect Sync account is an essential part of synchronizing data between on-premises AD (Active Directory) and Microsoft Entra ID (Entra ID cloud-based). 

These accounts allow a wide range of sensitive actions to be taken on behalf of the On-Premise AD account. In the case that the attacker has gained access to the credentials for the Directory Synchronization Account, he or she has the capability of changing cloud passwords through specialized tools like AADInternals, thus bypassing any additional security measures. 

An unauthorized user may exploit the Storm-0501 vulnerability if the account of a domain admin or other high-privileged user on-premises also exists in the cloud environment and is not properly protected (e.g. it does not implement multi-factor authentication). As soon as the malicious actor has gained access to the cloud infrastructure, they plant a persistent backdoor by creating a new federated domain inside of the Microsoft Entra tenant, which allows them to log in as any user that has the "Immutableid" property set to their benefit. 

A final step would be for the attackers to either install Embargo ransomware in the victim's on-premises infrastructure and cloud-based environments or keep backdoor access available for later use to the victim. In response to the growing prevalence of hybrid cloud environments, Microsoft's Threat Intel team has warned, "As organizations continue to work with multiple platforms to protect their data, securing resources across them becomes a growing challenge."

Keeper Security, vice president of security and infrastructure, said that a zero-trust framework is a highly effective means of achieving this goal for enterprise cybersecurity teams and that it can be achieved by progressively advancing towards one. Using this model, access is restricted based on the customers' roles, making sure that users only have access to the resources they need for their specific roles. 

This minimizes the possibility of malicious actors getting access to those resources," Tiquet stated in an email. "It is widely believed that weak credentials remain one of the most vulnerable entry points in hybrid cloud environments that are likely to be exploited by groups such as Storm-0501." A centralised approach to endpoint device management (EDM) is also vital to the success of the strategy, according to him. Keeping all environments patched - be it cloud-based or on-premises - is one of the best ways to prevent attackers from exploiting known vulnerabilities by ensuring a consistent level of security patching." 

In addition to my previous statement, he added that advanced monitoring tools will allow teams to detect potentially malicious threats across hybrid cloud environments before they can become breaches. SlashNext Security's field CTO Stephen Kowski provided a similar list of recommendations in a statement he sent via e-mail. Embargo, whose contact information can be found here, is a threat group that uses Rust-based malware in its ransomware-as-a-service (RaaS) operation, which accepts affiliates who access companies and deploy the payload, sharing part of the profit with the affiliate. 

As far back as August 2024, an Embargo ransomware affiliate attacked the American Radio Relay League (ARRL) and claimed to have received $1 million for a decryptor that worked once it was provided to them. The theft of sensitive data from Firstmac Limited, an Australian company that deals with mortgages, investment management and investment strategy, was reported to the cybercrime reporting agency earlier this month. When the deadline to negotiate a solution had passed, an Embargo subsidiary was discovered to have breached the company.