Microsoft has uncovered a new hacker group known as Storm-0501 that has shifted its focus towards targeting hybrid cloud environments using open tools for attacks. This group, previously associated with well-known ransomware gangs like Hive, Blackcat (Alphv), and Lockbit, is now working independently with the main motive of financial gain.
The Storm-0501 group recently carried out multi-stage attacks in the United States, infiltrating hybrid clouds and moving from local devices to the cloud. These attacks resulted in the theft of accounting data, confidential information, system interference, the creation of backdoors, and the deployment of malicious programs. The victims include state organizations, production companies, transport services, law enforcement agencies, and hospitals.
Operating since at least 2021, Storm-0501 employs various types of ransomware programs developed and supported by other groups. By utilizing stolen accounts and known vulnerabilities to gain initial access, the hackers move into the cloud through interface vulnerabilities between environments.
In a recent report by Microsoft Threat Intelligence, it was emphasized that as the use of hybrid cloud platforms continues to grow, securing resources across multiple platforms becomes increasingly challenging. Storm-0501 has exploited vulnerabilities in Zoho Manageengine, Citrix Netscaler, and Coldfusion 2016 in their recent attacks, exposing the inadequate security measures of affected organizations.
During their attacks, Storm-0501 utilizes standard Windows tools and commands, as well as open remote management tools like Anydesk. By gaining administrator rights, the group steals accounting data, distributes it across the network, and targets the domain controller to deploy ransomware programs.
Upon gaining control over the network and entering the cloud environment, Storm-0501 unleashes new ransomware called Embargo, based on Rust and employing advanced encryption methods. However, the group does not always resort to ransomware, sometimes just maintaining access to the network.
Microsoft is actively working to protect its Microsoft Entra ID service (previously Azure Ad) from being exploited by attackers for stealing accounts. Organizations are advised to use secure authentication mechanisms, restrict account synchronization access, and implement EDR solutions to enhance security against such cyber threats.