- Microsoft warns of Storm-0501, a ransomware group targeting mostly cloud platforms
- This approach allows them to be faster and more efficient
- There are ways to defend against this threat, so stay alert
Microsoft is warning users about a ransomware operator that is more interested in compromising cloud infrastructure than on-premise devices since it’s faster, more efficient, and more disruptive.
In a new report, the company highlighted Storm-0501, a financially motivated group observed to go primarily for hybrid cloud environments. The group would first compromise on-premise Active Directory domains via domain trust relationships, and then use Entra Connect Sync servers to pivot towards the cloud and into Microsoft Entra ID tenants.
From there, the group would exploit a non-human synced identity with Global Admin rights, and no multi-factor authentication (MFA) set up, to gain full cloud access which, in turn, allowed them to create a backdoor using malicious federated domains, and by abusing SAML tokens.
Weathering the storm
Compromising Azure this way is an alarming turn of events, since crooks can gain owner role across subscriptions, map critical assets using AzureHound, exfiltrate data via AzCopy CLI, delete backups and storage using Azure operations and, in some instances, even encrypt the files using custom Azure Key Vault keys.
Attacking the cloud rather than on-prem infrastructure allows for faster data exfiltration, as well as the destruction of backups. Adding insult to injury, it also allows them to reach out to their victims via Microsoft Teams to and demand a ransom payment.
“Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom — all without relying on traditional malware deployment,” Microsoft wrote.
To mitigate the threat, businesses should – before doing anything else – enforce MFA for all users, especially for privileged accounts. Then, they should restrict Directory Synchronization Account permissions, use TPM on Entra Connect Sync Servers, and apply Azure resource locks and immutability policies.
Finally, Microsoft advises enabling Defender for Endpoint and Defender for Cloud across all tenants, and naturally – monitoring with Azure activity logs and advanced hunting queries.
You might also like
https://cdn.mos.cms.futurecdn.net/pL5rBKGq88cnoqgdJgCXGS.jpg
Source link
