The Intruder Is In The House: Storm 0501 Attacked Azure, Stole Data, Demandedpayment Via Teams

Storm-0501, a financially motivated cybercrime crew, recently broke into a large enterprise’s on-premises and cloud environments, ultimately exfiltrating and destroying data within the org’s Azure environment. The criminals then contacted the victim via a Microsoft Teams account that they’d also compromised in the attack, demanding a ransom payment for the stolen files.

This attack, according to Microsoft’s threat intelligence team, illustrates a scary shift in ransomware tactics, which are moving away from traditional endpoint-based attacks and toward cloud-based ransomware.

“Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom — all without relying on traditional malware deployment,” Redmond wrote in Wednesday report shared with The Register.

“Storm” is the naming convention Microsoft uses for emerging threat groups, and in September 2024 the Windows giant detailed how Storm-0501 extended its on-premises ransomware operations into hybrid cloud environments. 

In these earlier attacks, the crew compromised Active Directory environments and then pivoted to Microsoft Entra ID, escalating privileges on hybrid and cloud identities to gain global admin-level privileges before implanting backdoors and, in some cases, deploying ransomware.

In the more recent attack, Storm-0501 again escalated privileges and abused identities across the compromised environment to jump from on-premises to cloud.

The victim company had multiple subsidiaries, and each operated its own Active Directory domain, configured to allow for cross-domain authentication and resource access.

The subsidiaries also had separate Azure tenants, each with different Microsoft Defender protections enabled. “Notably, only one tenant had Microsoft Defender for Endpoint deployed, and devices from multiple Active Directory domains were onboarded to this single tenant’s license,” the threat intel team wrote. That was one of the visibility gaps.

Additionally, the Active Directory domains were synced to several Entra ID tenants using Entra Connect Sync servers, and in some cases one domain was synced to more than one tenant, making identity management a difficult task.

From on-premises…

In the on-premises part of the attack, the criminals checked the endpoints for Defender and then compromised an Entra Connect Sync server that was not using the endpoint security product. “We assess that this server served as a pivot point, with the threat actor establishing a tunnel to move laterally within the network,” Microsoft said.

For this lateral movement, the crew used Evil-WinRM, a post-exploitation tool that abuses PowerShell over Windows Remote Management (WinRM) for remote code execution. 

They also used a DCSync attack, which is a credential-dumping technique that allows an attacker to impersonate a domain controller by abusing the Directory Replication Service Remote Protocol and, in this role, retrieve sensitive Active Directory data, such as password hashes for any user in the domain.

Using these stolen credentials, the intruders attempted to sign in as several privileged users but were ultimately blocked because the accounts had multi-factor authentication (MFA). 

So they went back to Active Directory and compromised a second Entra Connect server linked to a different Entra ID tenant and Active Directory domain, again initiating a DCSync attack. This time around, Storm-0501 was able to identify a non-human synced identity assigned a global admin role in Microsoft Entra ID on that tenant. And this one didn’t have MFA turned on.

To Azure

The digital thieves next reset the user’s on-prem password, which synced (via Entra Connect Sync) to the cloud ID of that user. The attackers then registered a new, attacker-controlled MFA method, and used this account to move laterally between different devices in the network, finally finding a hybrid-joined server that allowed them to sign in to the Azure portal using the global admin account.

“From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain,” Redmond said. “The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud.”

These goals included first registering a threat actor-owned Entra ID tenant as a trusted federated domain, which essentially created a backdoor for Storm-0501 to use for persistent access. “The backdoor enabled Storm-0501 to craft security assertion markup language (SAML) tokens applicable to the victim tenant, impersonating users in the victim tenant while assuming the impersonated user’s Microsoft Entra roles,” the threat hunters explained.

The tenant’s Entra ID and Azure environments are connected, and the attackers already had top-level Entra ID Privileges. After invoking the Microsoft.Authorization/elevateAccess/action operation using the compromised Microsoft Entra global administrator account, Storm-0501 achieved a User Access Administrator Azure role and this allowed access to all of the enterprise’s Azure subscriptions and data stored therein.

For data theft and beyond

From here, they stole and deleted a bunch of data, and then extorted the victim for a ransom payment, contacting them via a compromised Teams account.

How to protect yourself

Luckily, Microsoft also suggests several mitigation measures that organizations can take to prevent becoming another one of Storm-0501’s cloud ransomware victims. 

Redmond recently made a change in Microsoft Entra ID that aims to prevent attackers from abusing Directory Synchronization Accounts in attacks to escalate privileges, plus a new May version in public preview allows customers to configure application-based authentication.

The tech company also urges customers to enable Trusted Platform Module (TPM) on the Entra Connect Sync server to store sensitive credentials and cryptographic keys, thus preventing those from being stolen.

There’s also a list of steps to take to protect both on-premises environments and cloud identities, so be sure to check out all of them. And here are a few key ones to protect cloud-based identities: practice principle of least privilege to ensure that users and applications are only granted minimum permissions needed to perform specific tasks, enforce conditional access policies that are enforced every time a user tried to sign in to an account, and — please, please, please — require MFA for all users.

Original Source