Not that we ever imagined the Cloud would be immune to ransomware, but Microsoft now reports how it observed a group of cybercriminals it tracks as Storm-0501 compromising hybrid cloud environments.

Storm-0501 has been associated with ransomware since it was first seen in 2021, when it used the Sabbath ransomware against a US school district. The Sabbath ransomware affiliate program targets mostly critical infrastructure in the United States and Canada. It uses a multifaceted extortion model that includes ransomware deployment, data theft, and destruction of backups. Mandiant says the same group previously operated under the names of Arcane and Eruption and was found deploying the ROLLCOAST ransomware.

Later they changed their activities to act as affiliates for Ransomware-as-a-Service (RaaS) groups like Hive, ALPHV, Hunters International, LockBit, and most recently, Embargo ransomware.

The preferred way to move laterally from on-premises systems to cloud environments are stolen credentials for accounts that have access to both. They use the stolen credentials to gain control of the network, eventually creating persistent backdoor access to the cloud environment, and deploying ransomware to on-premises systems.

Initial access is often provided by Initial Access Brokers (IABs) that use known remote code execution (RCE) vulnerabilities in Zoho ManageEngine, Citrix NetScaler, and ColdFusion 2016.

With the provided access, the group then engages in network discovery to find desirable targets, such as high-value assets and general domain information. Using living-of-the-land (LOTL) techniques, they go after Domain Administrator users and domain forest trust, which helps users to manage a segmented Active Directory Domain Services (AD DS) infrastructure.

Other open-source tools are used to query additional endpoint information, and for Active Directory reconnaissance.

In the next stage, the group deploys remote monitoring and management tools (RMMs) to interact with the compromised devices and maintain persistence.

By using the admin privileges on the compromised vulnerable devices, they go after additional credentials to access more devices in the network.

The credentials used to get to the cloud were specifically Microsoft Entra IDs that were stolen earlier during the attack.

Microsoft Entra Connect, previously known as Azure AD Connect, is an on-premises application that synchronizes an on-premises identity and the Microsoft Entra identity of a user account to allow the user to sign in to both realms with the same password.

Microsoft established that the attacker specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts, probably by using Impacket to steal credentials and Data Protection API (DPAPI) encryption keys.

The end goal here was the data theft and the deployment of Embargo ransomware. In the cases observed by Microsoft, the threat actor leveraged compromised Domain Admin accounts to distribute the Embargo ransomware via a scheduled task named SysUpdate that was registered via GPO on the devices in the network.

Protective measures

To decrease the attack surface, Microsoft recommends that organizations deploy Microsoft Entra Connect on a domain-joined server and restrict administrative access to domain administrators or other tightly controlled security groups.

You should also enable multi-factor authentication (MFA) for all users, starting with privileged administrators. Microsoft also urges users enable protection to prevent by-passing of cloud Microsoft Entra MFA when federated with Microsoft Entra ID.

An MDR service can spot suspicious behavior like the deployment of LOTL, RMM, and open-source tools, that regular endpoint protection might miss.

Consider using an Identity and Access Management (IAM) solution. IAM solutions control who has access to cloud resources and what they can do with them. This includes user authentication, authorization, and the enforcement of access policies.

A vulnerability and patch management solution can help stop the initial access through vulnerable internet facing devices, services, and software.

Security Awareness Training can educate employees about cloud security best practices and the potential risks associated with cloud computing.