Ransomware operation Storm-0501 introduces a fierce combination attack sequence

In a recent report, Microsoft Threat Intelligence has revealed the activities of a financially motivated group known as Storm-0501. The group is currently executing a new hybrid ransomware campaign, targeting organisations with hybrid cloud environments.

Storm-0501 has been found to exploit vulnerabilities in these environments to gain access to both on-premises and cloud assets. One of the tactics used by the group is the creation of a backdoor using a maliciously added federated domain. This allows them to sign in as almost any user and map out the entire environment.

The group has been observed assigning themselves Azure roles across all available subscriptions. This enables them to exfiltrate and delete data during the attack. They have also been seen using Evil-WinRM, a post-exploitation tool that utilizes PowerShell over Windows, to move laterally across the premises.

Storm-0501 has been escalating privileges for themselves in both on-premises and cloud environments. They have been found exploiting hijacked privileged accounts to move between these environments. In one instance, the group found a non-human synced global admin identity that lacked Multi-Factor Authentication (MFA). This allowed them to reset the user's on-premises password and gain complete control over the domain.

The group has been seen exfiltrating data from the organisation's Azure Storage accounts to its own infrastructure. They are also encrypting data and carrying out mass deletions of cloud resources, including backups.

Sherrod DiGrippo, director of threat intelligence strategy at Microsoft, stated that Storm-0501 is not just encrypting data, but also deleting backups. This makes it crucial for CISOs to know their ransomware playbook and understand under what circumstances they will pay ransoms.

In light of these threats, it is important for security leaders to do a full audit of their on-premises environments and understand the risk they present to the organisation. Now is also the time to understand what should be moved to the cloud and what should be hardened. Using least privilege access is crucial in helping to ward off Storm-0501 attacks.

Hybrid environments, while incredibly vulnerable, are also incredibly important. CISOs should be aware of the risks associated with these environments and take necessary measures to secure them. It is also advisable to keep a close eye on the group's activities and stay updated with the latest threats and countermeasures.