Storm-0501 Ransomware Threat Actor Expands Attacks to Hybrid Cloud Environments

September 27, 2024

Storm-0501, a ransomware threat actor, has changed its attack tactics and is now targeting hybrid cloud environments, according to Microsoft. The threat actor was first identified in 2021 as an affiliate of the Sabbath ransomware operation. It has since been observed deploying malware from the Hive, BlackCat, LockBit, and Hunters International gangs, and most recently, the Embargo ransomware.

The victims of Storm-0501's recent attacks include hospitals, government entities, manufacturing and transportation organizations, and law enforcement agencies in the United States. The attacker accesses cloud environments by exploiting weak credentials and leveraging privileged accounts with the aim of data theft and ransomware payload execution.

Microsoft has detailed that Storm-0501 gains initial network access through stolen or bought credentials, or by exploiting known vulnerabilities. The vulnerabilities exploited in recent attacks include CVE-2022-47966 (Zoho ManageEngine), CVE-2023-4966 (Citrix NetScaler), and possibly CVE-2023-29300 or CVE-2023-38203 (ColdFusion 2016). The threat actor then moves laterally using tools like Impacket and Cobalt Strike, steals data via a custom Rclone binary renamed to mimic a Windows tool, and disables security agents with PowerShell cmdlets.

Using stolen Microsoft Entra ID (formerly Azure AD) credentials, Storm-0501 transitions from on-premise to cloud environments, compromising synchronization accounts and hijacking sessions for persistence. If the threat actor gains access to the Directory Synchronization Account credentials, they can use tools like AADInternals to change cloud passwords, thus circumventing additional protections. If a high-privilege on-premises account also exists in the cloud environment without proper protections, Storm-0501 may use the same credentials for repeated cloud access.

Upon gaining access to the cloud infrastructure, the threat actor plants a persistent backdoor by creating a new federated domain within the Microsoft Entra tenant. This allows them to authenticate as any user with a known or set 'Immutableid' property. Finally, they deploy the Embargo ransomware on the victim's on-premise and cloud environments or maintain backdoor access for future use. 'Once the threat actor achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, the threat actor then deployed the Embargo ransomware across the organization' Microsoft stated. 'We observed that the threat actor did not always resort to ransomware distribution, and in some cases only maintained backdoor access to the network,' Microsoft added. The ransomware payload is deployed using compromised accounts, via scheduled tasks or Group Policy Objects (GPOs), to encrypt files across the organization's devices.

The Embargo threat group operates a ransomware-as-a-service (RaaS) operation using Rust-based malware. It accepts affiliates who breach companies to deploy the payload and share a portion of the profits with the developers. In August 2024, an Embargo ransomware affiliate targeted the American Radio Relay League (ARRL) and received $1 million for a working decryptor. Earlier this year, an Embargo affiliate breached Firstmac Limited, one of Australia's largest mortgage lending and investment management firms, and leaked 500GB of sensitive data when the negotiation deadline was reached.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.