Microsoft has recently identified a cybercriminal group known as “Storm-0501” that has been orchestrating financially motivated attacks on hybrid cloud environments, marking a significant shift in their operations. Initially targeting U.S. school districts in 2021 as a Ransomware as a Service (RaaS) affiliate, the group’s focus has broadened to include sectors such as government, manufacturing, transportation, law enforcement, and more recently, hospitals. Their operations encompass a variety of malicious activities including data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment.
Methods and Strategies
Storm-0501 employs a range of methods to exploit weak credentials and over-privileged accounts, effectively navigating from a targeted organization’s on-premises environment to its cloud environment. Microsoft has observed the group utilizing various strategies to breach networks, such as using stolen credentials and exploiting known vulnerabilities in software like Zoho ManageEngine, Citrix NetScaler, and ColdFusion 2016.
Once inside a network, Storm-0501 methodically explores to identify high-value targets such as domain controllers and high-privilege accounts. The group leverages common Windows tools like systeminfo.exe, net.exe, nltest.exe, and tasklist.exe during this reconnaissance phase. After gaining control, they deploy renamed binaries of the open-source tool Rclone to exfiltrate sensitive data to cloud storage services, disguising these binaries as legitimate Windows files like svhost.exe.
Ransomware Deployment and Evolution
A core part of Storm-0501’s attack strategy involves using the RaaS model with ransomware strains provided by other threat actors. Over time, the group has utilized multiple ransomware variants such as Hive, BlackCat (ALPHV), Hunters International, and LockBit. The latest ransomware they employ is Embargo, which is noted for its advanced encryption capabilities and is written in Rust. Embargo’s operations employ a double extortion tactic, where victims’ files are encrypted and they are threatened with the public release of stolen data unless a ransom is paid.
Microsoft’s Response and Mitigation Efforts
In response to these threats, Microsoft has implemented changes in Microsoft Entra ID to restrict permissions on Directory Synchronization Accounts (DSA) roles, aiming to prevent potential abuse in such cyberattacks. This measure seeks to mitigate the risk posed by compromised credentials in attacks targeting directory synchronization accounts.
Conclusion
Microsoft has recently uncovered a cybercriminal collective named ‘”Storm-0501″, engaged in financially driven attacks on hybrid cloud environments. This marks a noticeable evolution in their tactics. Initially, in 2021, this group targeted U.S. school districts as a Ransomware as a Service (RaaS) partner. However, they have since expanded their reach to various sectors, including government agencies, the manufacturing industry, the transportation sector, law enforcement agencies, and, more recently, healthcare institutions.
Storm-0501’s operations involve a wide range of harmful activities. They are engaged in data exfiltration, which involves stealing sensitive information. Additionally, they are involved in credential theft, illegally obtaining user credentials to gain unauthorized access to systems. They also tamper with systems, create persistent backdoor access to maintain control over compromised networks, and deploy ransomware to lock up critical data and demand ransoms. Microsoft’s identification of Storm-0501 highlights the growing complexity and diversification of cyber threats targeting multiple crucial sectors.