The threat actor known as Storm-0501 has targeted the government, manufacturing, transportation and law enforcement sectors in the US to launch ransomware attacks.
The multi-stage attack campaign is designed to breach hybrid cloud environments and perform lateral migration from on-premises to cloud environments, ultimately leading to data theft, credential theft, spoofing, persistent backdoor access and ransomware deployment, Microsoft said.
“Storm-0501 is a financially motivated cybercriminal group that uses open source products and tools to conduct ransomware operations,” respectively to the tech giant’s threat intelligence team.
The threat actor, which has been active since 2021, already had a history of attacking educational organizations with Sabbath ransomware (54bb47h) before evolving into ransomware-as-a-service (RaaS) affiliate that has supplied various ransomware over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo.
A notable aspect of Storm-0501 attacks is the use of weak credentials and overly privileged accounts to migrate from an on-premises organization to cloud infrastructure.
Other initial access methods include exploiting a bridgehead already established by access brokers such as Storm-0249 and Storm-0900, or exploiting various known remote code execution vulnerabilities in unpatched Internet-facing servers such as Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016.
Access provided by any of the above approaches paves the way for extensive operations to discover valuable assets, collect domain information, and perform Active Directory reconnaissance. This is followed by the deployment of remote monitoring and management (RMM) tools such as AnyDesk to maintain persistence.
“A threat actor took advantage of administrative privileges on the local devices he compromised during the initial access and attempted to gain access to more accounts on the network using multiple methods,” Microsoft said.
“The threat actor primarily used Impacket’s SecretsDump module, which extracts network credentials, and used it to obtain credentials on a large number of devices.”
The compromised credentials are then used to access even more devices and obtain additional credentials, with the threat actor simultaneously accessing sensitive files to extract KeePass secrets and performing brute force attacks to obtain credentials for specific accounts.
Microsoft said it discovered that Storm-0501 was using Cobalt Strike to traverse the network laterally using compromised credentials and sending the following commands. Extracting data from the local environment is done using Rclone to transfer the data to MegaSync’s public cloud storage service.
The threat actor was also seen creating persistent backdoor access to the cloud environment and deploying on-premise ransomware, making it the latest threat actor to target hybrid cloud installations after Octo Tempest and Manatee Tempest.
“The threat actor used credentials, specifically the Microsoft Entra (formerly Azure AD) identity that had been stolen earlier in the attack, to migrate from on-premises to the cloud environment and establish persistent access to the target network via a backdoor,” Redmond said.
The migration to the cloud is said to be accomplished either through a compromised Microsoft Entra Connect Sync user account or by capturing the cloud session of a local user account that has a corresponding cloud administrator account with multi-factor authentication (MFA) disabled. .
The attack is completed by deploying the Embargo ransomware in the victim organization after gaining sufficient control over the network, stealing the files of interest and moving laterally to the cloud. Embargo is a Rust-based ransomware first discovered in May 2024.
“Operating on a RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom,” Microsoft said.
“Embargo affiliates use a dual extortion tactic where they first encrypt the victim’s files and threaten to leak the stolen sensitive data unless the ransom is paid.”
The disclosure comes as the DragonForce ransomware group has targeted companies in the manufacturing, real estate and transportation sectors using a leak variant LockBit Builder 3.0 and a modified version Conti.
Attacks are characterized by using SystemBC backdoor for persistence, Mimikatz and Cobalt Strike for credential gathering and Cobalt Strike for lateral movement. The US accounts for more than 50% of the total number of victims, followed by the UK and Australia.
“The group uses a two-pronged extortion tactic, encrypting data and threatening to leak it if the ransom is not paid,” Singapore-headquartered Group-IB. said. “Partner program launched on June 26, 2024, offers 80% buyback to partners along with attack management and automation tools.”
