Back

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

Sept. 30, 2024, 10:48 a.m.

Tags

backdoor
ransomware
credential-theft
cobalt strike
rclone
impacket
data-exfiltration
lateral-movement
2024-09-30
CVE-2022-47966
CVE-2023-4966
hybrid-cloud
embargo
aadinternals
CVE-2023-38203
CVE-2023-29300

External References

https://www.microsoft.com/

https://otx.alienvault.com/

Description

Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent backdoor access, and deploys ransomware. Their recent campaign targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 exploits vulnerabilities in public-facing servers, uses commodity and open-source tools, and operates as a ransomware-as-a-service affiliate. They have expanded their tactics to include pivoting from on-premises to cloud environments, particularly exploiting Microsoft Entra Connect Sync accounts and cloud session hijacking. The group's ultimate goal is often to deploy Embargo ransomware across the organization's devices.

Date

Published Created Modified
Sept. 30, 2024, 10:37 a.m. Sept. 30, 2024, 10:37 a.m. Sept. 30, 2024, 10:48 a.m.

Indicators

efb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8d

ee80f3e3ad43a283cbc83992e235e4c1b03ff3437c880be02ab1d15d92a8348a

de09ec092b11a1396613846f6b082e1e1ee16ea270c895ec6e4f553a13716304

d37dc37fdcebbe0d265b8afad24198998ae8c3b2c6603a9258200ea8a1bd7b4a

d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670

caa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031

a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40

827f7178802b2e92988d7cff349648f334bc86317b0b628f4bb9264285fccf5f

53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9

c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1

https://aadinternals.com/post/aadbackdoor/

https://aadinternals.com/post/aad-deepdive/

Attack Patterns

AADInternals

Embargo

Rclone

Impacket

Cobalt Strike - S0154

Storm-0501

T1490

T1550

T1110

T1087

T1021

T1486

T1070

T1518

T1082

T1083

T1543

T1055

T1098

T1566

T1190

T1133

T1078

T1068

T1003

T1059

CVE-2023-4966

CVE-2023-38203

CVE-2023-29300

CVE-2022-47966

Additional Informations

Transportation

Government

Manufacturing

United States of America