Microsoft says it's identified a financially motivated cyber criminal group that uses open source tools to target hybrid cloud environments.
Known as 'Storm-0501', the group has been hitting a range of US organizations, including government, manufacturing, transportation, and law enforcement, carrying out data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware attacks.
First spotted in 2021, the group first targeted US school districts, but later moved on to more opportunistic attacks as a ransomware as a Service (RaaS) affiliate.
It's been using a number of ransomware payloads developed and maintained by other threat actors over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. It has also recently been targeting hospitals.
"Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environments to cloud environments," Microsoft said in an advisory.
"They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises."
The group's access techniques include the use of stolen credentials and known exploits to find over-privileged accounts - for example through known vulnerabilities in Zoho ManageEngine, Citrix NetScaler and ColdFusion 2016 applications.
"After gaining initial access and code execution capabilities on the affected device in the network, the threat actor performed extensive discovery to find potential desirable targets such as high-value assets and general domain information like Domain Administrator users and domain forest trust," Microsoft said.
"Common native Windows tools and commands, such as systeminfo.exe, net.exe, nltest.exe, tasklist.exe, were leveraged in this phase."
Stolen credentials have allowed Storm-0501 to move laterally across the network to reach a domain controller, and then deploy ransomware across the devices in said network.
It's been spotted exfiltrating sensitive data from compromised devices by using the open source tool Rclone and renaming it to known Windows binary names or variations of them, such as svhost.exe or scvhost.exe.
The renamed Rclone binaries were used to transfer data to the cloud using a dedicated configuration that synchronized files to public cloud storage services such as MegaSync across multiple threads.
Once the group achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, it deployed the Embargo ransomware across the organization.
"Embargo ransomware is a new strain developed in Rust, known to use advanced encryption methods. Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom," Microsoft explained.
"Embargo affiliates employ double extortion tactics, where they first encrypt a victim’s files and threaten to leak stolen sensitive data unless a ransom is paid."
Microsoft said it's recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync.
This, the tech giant said, helps prevent threat actors from abusing Directory Synchronization Accounts in attacks.
