- Microsoft Warns of Storm-0501, a ransomware group that is targeted mostly cloud platforms
- This approach allows them to be faster and more effective
- There are ways to defend against this threat, so stay aware of
Microsoft warns users of a ransomware operator who is more interested in compromising Sky Infrastructure than on site as it is faster, more effective and more disturbing.
In a new report, the company storm-0501 highlighted an economically motivated group that was observed to go primarily for hybrid cloud environments. The group first compromises on site Active Directory domains via Domain Trust relationship and then used Entra Connect Sync servers to turn against the cloud and into Microsoft Entra ID tenants.
From there, the group would utilize a non-human synchronized identity with global administrator privileges, and no multi-factor approval (MFA) created, to get full cloud access, which in turn enabled them to create a back door using malicious federal domains and by abusing the collection tokens.
Weathering the storm
Compromise with Azure In this way is an alarming reversal of events, as villains can get ownership role across subscriptions, short -critical assets using Azurehound, Exfiltrate Data via Azcopy Cli, Delete Backup and Storage using Azure operations and in some cases even encrypt the files using custom Azure Key Vault Key Key Key Key Key Key Key Key
Attacking the cloud rather than on-site infrastructure allows for faster data ex-filtration as well as the destruction of backups. Adding insult to injury also allows them to reach out to their victims via Microsoft teams to and demand a ransom payment.
“Utilization of cloud-norening capabilities, storm-0501 quickly exfiltrating large amounts of data, destroying data and backups within the sacrificial environment and requiring ransom-all together without relying on traditional malware implementation,” Microsoft wrote.
To mitigate the threat, companies – before doing something else – must enforce MFA for all users, especially for privileged accounts. Then they must limit catalog synchronization account -permits, use TPM on Entra Connect Sync servers and apply Azure Resource Locks and Immutability Policy.
Finally, Microsoft advises to enable defender for endpoint and defender for cloud across all tenants and of course – monitoring with Azure activity logs and advanced hunting queries.
