Ransomware Group Uses Stolen Microsoft Entra ID Credentials to Breach Hybrid Cloud Environments

Published: Sep 30, 2024

Security hero image

SHARE ARTICLE

Key Takeaways:

  • Storm-0501 has shifted its focus to exploiting vulnerabilities in hybrid cloud environments.
  • The cybercriminal group is using stolen Entra ID credentials to compromise both on-premises and cloud systems.
  • Microsoft advises organizations to enhance security by enabling Conditional Access policies and other security protections to prevent hybrid cloud attacks.

Microsoft has warned that the threat actors Storm-0501 has shifted its focus to exploiting vulnerabilities in hybrid cloud environments. The company detailed in a security advisory that this group is now leveraging Entra ID credentials to target organizations.

Storm 0501 was first discovered in 2021 as a ransomware-as-a-service (RaaS) affiliate for the Sabbath ransomware operation. This group has also been involved in deploying Hive, BlackCat (ALPHV), Hunters International, and LockBit. Storm 0501 has targeted multiple sectors, including government hospitals, manufacturing, law enforcement, and transportation.

Cloud compromise leading to backdoor access

Microsoft recently discovered that the Storm-0501 group is deploying the Embargo ransomware. The attackers used stolen Entra ID credentials to move from on-premises systems to cloud environments. Specifically, Storm-0501 compromised Entra Connect Sync service accounts, which synchronize data between on-premises Active Directory (AD) and Microsoft Entra ID. This breach could allow the hackers to set or change the Entra ID passwords for any hybrid account.

“We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts,” the Microsoft Threat Intelligence team explained.

Additionally, Storm-0501 has also employed a tactic involving the compromise of an on-premises Domain Admin account that also exists in the cloud environment. This account lacks multifactor authentication (MFA) and holds a global administrator role. It enables the threat actor to gain persistent access by creating a new federated domain, which can be used to authenticate as any Entra ID tenant user.

Figure 1 storm 0501 attack chain 1
Figure 1. Storm-0501 attack chain (Image Credit: Microsoft)

How to mitigate Storm-0501 ransomware attacks?

Lastly, Storm-0501 either deploys Embargo ransomware in the target on-premises and cloud environments. In some cases, the hackers choose to maintain backdoor access to the corporate network.
Microsoft Entra ID has recently introduced a change that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync. It should help to prevent hackers from abusing Directory Synchronization Accounts in cyberattacks.

Microsoft also recommends that customers should enable Conditional Access policies, Entra ID protections, and Microsoft Defender for Cloud Apps connectors. The company also advises turning on tamper protection features to block attacks that target cloud environments.

SHARE ARTICLE