Skip to content
Gastronomic-Paradise

Cybercriminal Erases Stored Data and Copies After Stealing on Azure Cloud Platform

Microsoftdetected a shift in the Storm-0501 malware, strategically moving to the target's cloud infrastructure in order to expedite data theft and inhibit data recovery efforts.

 and  Administrator
2 min read
Azure-based data extermination post-exfiltration by ransomware perpetrator: Data and backups erased
Azure-based data extermination post-exfiltration by ransomware perpetrator: Data and backups erased

Cybercriminal Erases Stored Data and Copies After Stealing on Azure Cloud Platform

In a recent cybersecurity incident, a financially motivated threat actor known as Storm-0501 has executed a novel ransomware attack on a large enterprise's Microsoft Azure environment. The attack, which targeted multiple subsidiaries each operating their own Active Directory domains, has resulted in significant data breaches and disruptions.

The incident began with Storm-0501 compromising an Entra Connect Sync server, using it as a pivot point for lateral movement within the victim's network. The actor then proceeded to expose Azure Storage accounts, exploiting them to exfiltrate data to their own infrastructure using the AzCopy Command-line tool (CLI).

Following successful authentication, the threat actor created a backdoor using a maliciously added federated domain. The compromised identity's on-premises password was reset and legitimately synced to the cloud identity via the Entra Connect Sync service. This provided the attacker with unauthorised access to the organisation's Azure portal.

Storm-0501 leveraged cloud features and capabilities to rapidly exfiltrate and transmit large amounts of data from the victim environment. The group performed a DCSync attack, a technique that abuses the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller. This allowed the attacker to gain extensive access to the victim's Active Directory data.

The threat actor identified a non-human synced identity with the Global Administrator role in Microsoft Entra ID and invoked the Microsoft.Authorization/roleAssignments/write operation to assign itself the Owner Azure role over all Azure subscriptions. This gave the attacker complete control over the victim's Azure resources.

Post-compromise activity impacted two tenants, ultimately resulting in access to the organisation's valuable data stores that resided in Azure. The attack involved destroying data, backups, and encrypting data before demanding a ransom.

Storm-0501's targeting is opportunistic, with victims including schools and healthcare organizations. The large enterprise with multiple subsidiaries, each having separate Active Directory domains and Azure tenants, was affected by the attack, but the specific company name remains undisclosed in the available sources.

The group has adapted its tactics since its emergence in 2021, including the use of Embargo ransomware in 2024 attacks. It is crucial for organisations to remain vigilant and implement robust security measures to protect against such threats.

Read also:

Related

Latest