Microsoft has recently identified a threat actor known as Storm-0501 targeting government, manufacturing, transportation, and law enforcement sectors in the United States (US) in a cloud ransomware attack campaign. In this article, we’ll dive into the details of the campaign and determine how such attacks are carried out. Let’s begin! 

Cloud Ransomware Attack Campaign Hacker Identified

Storm-0501 is a financially motivated threat actor known to have been active since 2021. As part of its cloud ransomware attack campaigns, the threat actor has targeted education facilities with the Sabbath (54bb47h) ransomware. However, it has now turned into a ransomware-as-a-service (RaaS) affiliate.

Carrying out malicious intents as an affiliate, the threat actor has delivered various ransomware payloads since the transition. Some of these payloads include ransomware, such as the: 

• Hive. 
• LockBit. 
• Embargo 
• BlackCat (ALPHV).
• Hunters International. 

One of the most notable aspects of these attacks is their hybrid nature. It’s believed that the threat actor leverages weak credentials used for over-privileged accounts to gain initial access. After breaching into the on-premise systems, the threat actor expands the attack area by transitioning to the cloud.  Other methods used for initial access include: 

• Using a foothold established by an access broker.
• Exploiting known remote code vulnerabilities. 

Before we go into details about the multistage cloud ransomware attack campaign, it’s worth mentioning that such attacks are carried out for multiple purposes that include:  

• Tampering. 
• Credential theft.
• Data exfiltration. 
• Ransomware deployment.
• Persistent backdoor access.

Storm-0501 Ransomware Attack Chain 

Once the threat actor has gained access to the compromised system, its primary objectives are to conduct discovery operations, determine assets of value, collect information, and conduct Active Directory reconnaissance. Providing insights into such a cloud ransomware attack, Microsoft has stated that: 

“The threat actor took advantage of admin privileges on the local devices it compromised during initial access and attempted to gain access to more accounts within the network through several methods. The threat actor primarily utilized Impacket’s SecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices to obtain credentials.”

Reports claim that after the initial access, the credentials are used for breaching more devices, allowing the threat actor to have login details for additional devices. The cloud ransomware attack hacker has also been observed using Cobalt Strike for conducting lateral movements within a network, allowing it to send follow-up commands. 

It’s worth mentioning here that Rclone is used to transfer the data from on-premises environments to the MegaSync public cloud storage service. Apart from data theft, the cloud ransomware attack hacker is known for developing persistent backdoors for accessing the cloud environment and deploying ransomware. 

Conclusion

Storm-0501’s cloud ransomware campaign is a sophisticated threat targeting key sectors through a combination of weak credentials, hybrid attacks, and persistent backdoors. 

By leveraging advanced tools and techniques, the threat actor effectively gains control to exfiltrate data and deploy ransomware, highlighting the evolving dangers of modern cybercrime. 

In light of such attack tactics, users must implement stringent protection measures as this initiative can help lower risk and ensure protection. 

The sources for this piece include articles in The Hacker News and Microsoft.

The post Cloud Ransomware Attack: Microsoft Sees Storm-0501 As Threat appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/cloud-ransomware-attack-microsoft-sees-storm-0501-as-threat/