Storm-0501 breached a large enterprise's on-premises and Azure environments, exfiltrating and destroying data and contacting the victim via a compromised Microsoft Teams account to demand ransom. The crew escalated privileges by compromising Active Directory and Microsoft Entra ID, gaining global admin-level access, implanting backdoors, and sometimes deploying ransomware. The attackers leveraged cloud-native capabilities to quickly move large volumes of data and eliminate backups without relying on traditional endpoint malware. The victim's multiple subsidiaries used separate Active Directory domains and Azure tenants with uneven Defender protections, enabling cross-domain access and widening the impact.
Storm-0501, a financially motivated cybercrime crew, recently broke into a large enterprise's on-premises and cloud environments, ultimately exfiltrating and destroying data within the org's Azure environment. The criminals then contacted the victim via a Microsoft Teams account that they'd also compromised in the attack, demanding a ransom payment for the stolen files. This attack, according to Microsoft's threat intelligence team, illustrates a scary shift in ransomware tactics, which are moving away from traditional endpoint-based attacks and toward cloud-based ransomware.
In these earlier attacks, the crew compromised Active Directory environments and then pivoted to Microsoft Entra ID, escalating privileges on hybrid and cloud identities to gain global admin-level privileges before implanting backdoors and, in some cases, deploying ransomware. In the more recent attack, Storm-0501 again escalated privileges and abused identities across the compromised environment to jump from on-premises to cloud. The victim company had multiple subsidiaries, and each operated its own Active Directory domain, configured to allow for cross-domain authentication and resource access.
"Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom - all without relying on traditional malware deployment," Redmond wrote in Wednesday report shared with The Register. "Storm" is the naming convention Microsoft uses for emerging threat groups, and in September 2024 the Windows giant detailed how Storm-0501 extended its on-premises ransomware operations into hybrid cloud environments.
Collection
[
|
...
]