Microsoft says it's identified a financially motivated cyber criminal group that uses open source tools to target hybrid cloud environments.
Known as 'Storm-0501', the group has been hitting a range of US organizations, including government, manufacturing, transportation, and law enforcement, carrying out data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware attacks.
First spotted in 2021, the group first targeted US school districts, but later moved on to more opportunistic attacks as a ransomware as a Service (RaaS) affiliate.
It's been using a number of ransomware payloads developed and maintained by other threat actors over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. It has also recently been targeting hospitals.
"Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environments to cloud environments," Microsoft said in an advisory.
"They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises."
The group's access techniques include the use of stolen credentials and known exploits to find over-privileged accounts - for example through known vulnerabilities in Zoho ManageEngine, Citrix NetScaler and ColdFusion 2016 applications.
"After gaining initial access and code execution capabilities on the affected device in the network, the threat actor performed extensive discovery to find potential desirable targets such as high-value assets and general domain information like Domain Administrator users and domain forest trust," Microsoft said.
"Common native Windows tools and commands, such as systeminfo.exe, net.exe, nltest.exe, tasklist.exe, were leveraged in this phase."
Stolen credentials have allowed Storm-0501 to move laterally across the network to reach a domain controller, and then deploy ransomware across the devices in said network.
It's been spotted exfiltrating sensitive data from compromised devices by using the open source tool Rclone and renaming it to known Windows binary names or variations of them, such as svhost.exe or scvhost.exe.
The renamed Rclone binaries were used to transfer data to the cloud using a dedicated configuration that synchronized files to public cloud storage services such as MegaSync across multiple threads.
Once the group achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, it deployed the Embargo ransomware across the organization.
"Embargo ransomware is a new strain developed in Rust, known to use advanced encryption methods. Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom," Microsoft explained.
"Embargo affiliates employ double extortion tactics, where they first encrypt a victim’s files and threaten to leak stolen sensitive data unless a ransom is paid."
Microsoft said it's recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync.
This, the tech giant said, helps prevent threat actors from abusing Directory Synchronization Accounts in attacks.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
The Wiz acquisition stakes Google's claim as the go-to hyperscaler for cloud security – now it’s up to AWS and industry vendors to reactAnalysis The Wiz acquisition could have monumental implications for the cloud security sector, with Google raising the stakes for competitors and industry vendors.
-
Microsoft’s EU data boundary project crosses the finish lineNews Microsoft has finalized its EU data boundary project aimed at allowing customers to store and process data in the region.
-
Microsoft hit with £1 billion lawsuit over claims it’s “punishing UK businesses” for using competitor cloud services
News Customers using rival cloud services are paying too much for Windows Server, the complaint alleges
-
SAP launches sovereign cloud service for UK customersNews The move makes SAP the latest to roll out a sovereign cloud service for UK customers
-
Microsoft's Azure growth isn't cause for concern, analysts sayAnalysis Azure growth has slowed slightly, but Microsoft faces bigger problems with expanding infrastructure
-
The Open Cloud Coalition wants to promote a more competitive European cloud market – but is there more to the group than meets the eye?Analysis The launch of the Open Cloud Coalition is the latest blow in a war of words between Microsoft and Google over European cloud
-
Data center constraints pinch as Microsoft reports soaring AI demandNews The firm’s CEO Satya Nadella remained confident that supply and demand would start matching up later in the fiscal year
-
Microsoft slams Google’s ‘shadow campaigns’ as feud over cloud regulation escalatesNews Google is being accused of creating an “astroturf” organization that is driven by ulterior motives
