Storm-0501: Ransomware attacks expanding to hybrid cloud environments

Tags

External References

• https://www.microsoft.com/
• https://otx.alienvault.com/

Description

Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent backdoor access, and deploys ransomware. Their recent campaign targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 exploits vulnerabilities in public-facing servers, uses commodity and open-source tools, and operates as a ransomware-as-a-service affiliate. They have expanded their tactics to include pivoting from on-premises to cloud environments, particularly exploiting Microsoft Entra Connect Sync accounts and cloud session hijacking. The group's ultimate goal is often to deploy Embargo ransomware across the organization's devices.

Date