Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Essential information
- Published
- 30/09/2024 10:37
- Modified
- 30/09/2024 10:48
- Tags
- 2024-09-30 CVE-2022-47966 CVE-2023-29300 CVE-2023-38203 CVE-2023-4966 aadinternals backdoor cobalt strike credential-theft data exfiltration embargo hybrid-cloud impacket lateral movement ransomware rclone
- Related entities
- 4 vulnerabilities (cve), 14 observables, 1 intrusion sets (apt), 20 techniques (mitre), 5 malware, 4 others
Description
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent backdoor access, and deploys ransomware. Their recent campaign targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 exploits vulnerabilities in public-facing servers, uses commodity and open-source tools, and operates as a ransomware-as-a-service affiliate. They have expanded their tactics to include pivoting from on-premises to cloud environments, particularly exploiting Microsoft Entra Connect Sync accounts and cloud session hijacking. The group's ultimate goal is often to deploy Embargo ransomware across the organization's devices.