Storm-0501: Ransomware attacks expanding to hybrid cloud environments

Sept. 30, 2024, 10:48 a.m.

Description

Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent backdoor access, and deploys ransomware. Their recent campaign targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 exploits vulnerabilities in public-facing servers, uses commodity and open-source tools, and operates as a ransomware-as-a-service affiliate. They have expanded their tactics to include pivoting from on-premises to cloud environments, particularly exploiting Microsoft Entra Connect Sync accounts and cloud session hijacking. The group's ultimate goal is often to deploy Embargo ransomware across the organization's devices.

External References

https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
https://otx.alienvault.com/pulse/66fa7f4c3f8125e966794995
Tags
backdoor
ransomware
credential-theft
cobalt strike
rclone
impacket
data-exfiltration
lateral-movement
2024-09-30
CVE-2022-47966
CVE-2023-4966
hybrid-cloud
embargo
aadinternals
CVE-2023-38203
CVE-2023-29300

Date

  • Created: Sept. 30, 2024, 10:37 a.m.
  • Published: Sept. 30, 2024, 10:37 a.m.
  • Modified: Sept. 30, 2024, 10:48 a.m.

Indicators

  • efb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8d
  • ee80f3e3ad43a283cbc83992e235e4c1b03ff3437c880be02ab1d15d92a8348a
  • de09ec092b11a1396613846f6b082e1e1ee16ea270c895ec6e4f553a13716304
  • d37dc37fdcebbe0d265b8afad24198998ae8c3b2c6603a9258200ea8a1bd7b4a
  • d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670
  • caa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031
  • a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40
  • 827f7178802b2e92988d7cff349648f334bc86317b0b628f4bb9264285fccf5f
  • 53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9
  • c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1
  • https://aadinternals.com/post/aadbackdoor/
  • https://aadinternals.com/post/aad-deepdive/
  • suspectfile.com
  • aadinternals.com
Download all indicators here!

Attack Patterns

  • AADInternals
  • Embargo
  • Rclone
  • Impacket
  • Cobalt Strike - S0154
  • Storm-0501

Additional Informations

  • Transportation
  • Government
  • Manufacturing
  • United States of America

Linked vulnerabilities

CVE-2022-47966

None
Published:

CVE-2023-29300

None
Published:

CVE-2023-38203

None
Published:

CVE-2023-4966

None
Published: