Published: Sep 30, 2024
Key Takeaways:
Microsoft has warned that the threat actors Storm-0501 has shifted its focus to exploiting vulnerabilities in hybrid cloud environments. The company detailed in a security advisory that this group is now leveraging Entra ID credentials to target organizations.
Storm 0501 was first discovered in 2021 as a ransomware-as-a-service (RaaS) affiliate for the Sabbath ransomware operation. This group has also been involved in deploying Hive, BlackCat (ALPHV), Hunters International, and LockBit. Storm 0501 has targeted multiple sectors, including government hospitals, manufacturing, law enforcement, and transportation.
Microsoft recently discovered that the Storm-0501 group is deploying the Embargo ransomware. The attackers used stolen Entra ID credentials to move from on-premises systems to cloud environments. Specifically, Storm-0501 compromised Entra Connect Sync service accounts, which synchronize data between on-premises Active Directory (AD) and Microsoft Entra ID. This breach could allow the hackers to set or change the Entra ID passwords for any hybrid account.
“We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts,” the Microsoft Threat Intelligence team explained.
Additionally, Storm-0501 has also employed a tactic involving the compromise of an on-premises Domain Admin account that also exists in the cloud environment. This account lacks multifactor authentication (MFA) and holds a global administrator role. It enables the threat actor to gain persistent access by creating a new federated domain, which can be used to authenticate as any Entra ID tenant user.
Lastly, Storm-0501 either deploys Embargo ransomware in the target on-premises and cloud environments. In some cases, the hackers choose to maintain backdoor access to the corporate network.
Microsoft Entra ID has recently introduced a change that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync. It should help to prevent hackers from abusing Directory Synchronization Accounts in cyberattacks.
Microsoft also recommends that customers should enable Conditional Access policies, Entra ID protections, and Microsoft Defender for Cloud Apps connectors. The company also advises turning on tamper protection features to block attacks that target cloud environments.