The risk actor referred to as Storm-0501 has focused authorities, manufacturing, transportation, and legislation enforcement sectors within the U.S. to stage ransomware assaults.
The multi-stage assault marketing campaign is designed to compromise hybrid cloud environments and carry out lateral motion from on-premises to cloud atmosphere, in the end leading to information exfiltration, credential theft, tampering, persistent backdoor entry, and ransomware deployment, Microsoft mentioned.
“Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations,” in accordance to the tech large’s risk intelligence workforce.
Energetic since 2021, the risk actor has a historical past of focusing on schooling entities with Sabbath (54bb47h) ransomware earlier than evolving right into a ransomware-as-a-service (RaaS) affiliate delivering varied ransomware payloads over time, together with Hive, BlackCat (ALPHV), Hunters Worldwide, LockBit, and Embargo ransomware.
A notable facet of Storm-0501’s assaults is the usage of weak credentials and over-privileged accounts to maneuver from organizations on-premises to cloud infrastructure.
Different preliminary entry strategies embody utilizing a foothold already established by entry brokers like Storm-0249 and Storm-0900, or exploiting varied identified distant code execution vulnerabilities in unpatched internet-facing servers comparable to Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016.
The entry afforded by any of the aforementioned approaches paves the best way for intensive discovery operations to find out high-value property, collect area data, and carry out Energetic Listing reconnaissance. That is adopted by the deployment of distant monitoring and administration instruments (RMMs) like AnyDesk to keep up persistence.
“The threat actor took advantage of admin privileges on the local devices it compromised during initial access and attempted to gain access to more accounts within the network through several methods,” Microsoft mentioned.
“The threat actor primarily utilized Impacket’s SecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices to obtain credentials.”
The compromised credentials are then used to entry much more gadgets and extract further credentials, with the risk actor concurrently accessing delicate recordsdata to extract KeePass secrets and techniques and conducting brute-force assaults to acquire credentials for particular accounts.
Microsoft mentioned it detected Storm-0501 using Cobalt Strike to maneuver laterally throughout the community utilizing the compromised credentials and ship follow-on instructions. Knowledge exfiltration from the on-premises atmosphere is achieved by utilizing Rclone to switch the information to the MegaSync public cloud storage service.
The risk actor has additionally been noticed creating persistent backdoor entry to the cloud atmosphere and deploying ransomware to the on-premises, making it the most recent risk actor to focus on hybrid cloud setups after Octo Tempest and Manatee Tempest.
“The threat actor used the credentials, specifically Microsoft Entra ID (formerly Azure AD), that were stolen from earlier in the attack to move laterally from the on-premises to the cloud environment and establish persistent access to the target network through a backdoor,” Redmond mentioned.
The pivot to the cloud is claimed to be achieved both by a compromised Microsoft Entra Join Sync consumer account or by way of cloud session hijacking of an on-premises consumer account that has a respective admin account within the cloud with multi-factor authentication (MFA) disabled.
The assault culminates with the deployment of Embargo ransomware throughout the sufferer group upon acquiring enough management over the community, exfiltrating recordsdata of curiosity, and lateral motion to the cloud. Embargo is a Rust-based ransomware first found in Might 2024.
“Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom,” Microsoft mentioned.
“Embargo affiliates employ double extortion tactics, where they first encrypt a victim’s files and threaten to leak stolen sensitive data unless a ransom is paid.”
The disclosure comes because the DragonForce ransomware group has been focusing on firms in manufacturing, actual property, and transportation sectors utilizing a variant of the leaked LockBit3.0 builder and a modified model of Conti.
The assaults are characterised by means of the SystemBC backdoor for persistence, Mimikatz and Cobalt Strike for credential harvesting, and Cobalt Strike for lateral motion. The U.S. accounts for greater than 50% of the overall victims, adopted by the U.Ok. and Australia.
“The group employs double extortion tactics, encrypting data, and threatening leaks unless a ransom is paid,” Singapore-headquartered Group-IB mentioned. “The affiliate program, launched on 26 June 2024, offers 80% of the ransom to affiliates, along with tools for attack management and automation.”
