Storm-0501, a financially motivated cybercriminal group, has been targeting multiple sectors in the US with multi-staged attacks by exploiting weak credentials to gain access to hybrid cloud environments, then laterally moving from on-premises to cloud environments to exfiltrate data, steal credentials, tamper with systems, and deploy ransomware.
The threat actor has been active since 2021, using various ransomware payloads and targeting sectors like government, manufacturing, transportation, and law enforcement. Researchers have observed similar attacks from other threat actors and emphasize the growing challenge of securing hybrid cloud environments.
Storm-0501 compromised on-premises systems through stolen credentials or unpatched vulnerabilities (Zoho, Citrix, ColdFusion) and then pivoted to internal discovery using native Windows tools and open-source recon tools.
After gaining admin access, they deployed remote management tools for persistence. To move laterally, they leveraged compromised credentials and the “Impacket” tool to escalate privileges.
Tools like Cobalt Strike with a custom watermark (“666”) were used to establish C2 communication and for lateral movement, which ultimately led to Domain Admin compromise and ransomware deployment.
The threat actor exfiltrated sensitive data from compromised devices using renamed Rclone binaries, which were used to transfer data to cloud storage services like MegaSync using dedicated configurations.
To evade detection, they tampered with security products on compromised devices using open-source tools, PowerShell cmdlets, and existing binaries. Additionally, they distributed GPO policies to further hinder detection.
By stealing the plain text credentials of these accounts, the attacker gained access to Microsoft Entra ID and Microsoft Graph, which allowed them to set or change passwords for hybrid accounts, potentially leading to further compromise of the target network.
Cloud session hijacking can occur when an on-premises user account with a corresponding Microsoft Entra ID account is compromised. If passwords for both accounts are the same or obtainable, attackers can pivot to the cloud.
Without MFA, or Conditional Access, attackers can reset passwords, gain access using AADInternals, or hijack sessions if MFA is enabled. Microsoft is implementing tenant-level security measures to mandate MFA for all Azure users to enhance admin account security.
The threat actor exploited a compromised Microsoft Entra account to gain global admin privileges and create a persistent backdoor using AADInternals, which enabled the actor to impersonate any user in the organization and bypass MFA.
Subsequently, they deployed Embargo ransomware across the network via a scheduled task, encrypting files and threatening to leak sensitive data.
Microsoft’s recent security hardening measures for Directory Synchronization Accounts in Microsoft Entra ID help mitigate threats by restricting account permissions and enforcing Conditional Access policies.
Organizations can further enhance their security by practicing strong credential hygiene, limiting access from untrusted IP addresses, and requiring phishing-resistant authentication for critical apps, which collectively reduce the risk of unauthorized access and potential data breaches.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Cl0p Ransomware Exfiltration Tactics Expose Flaws to Remote Code Execution")
