- Microsoft warns against Storm-0501, a ransomware group mainly targeting cloud platforms
- This approach allows them to be faster and more efficient
- There are ways to defend yourself against this threat, so stay vigilant
Microsoft warns users of a ransomware operator who is more interested in the cloud infrastructure compromise than on -site devices, because it is faster, more efficient and more disruptive.
In a new report, the company has highlighted Storm-0501, a financially motivated group observed mainly for hybrid cloud environments. The group would first compromise the Active Directory Domains on site via the relationships of confidence in the field, then use the Synchronization Servers Entrance Connect to pivot towards the Cloud and in the tenants of ID Microsoft Entrance.
From there, the group would exploit a non-human synchronized identity with the rights of the global administration, and no multi-factor authentication (MFA), to obtain full access in cloud, which, in turn, allowed them to create a stolen door using malicious federal domains and by abusing SAML token.
Wreathing the Storm
Compromising Azure in this way is an alarming turn of events, because the crooks can earn a role of owner through subscriptions, map critical assets using the Azurehound data, exfiltrate via Azcopy Cli, delete backups and storage using Azure operations and, in some cases, encrypting even the files using Vault Azure Key Key personalized.
Attacking the cloud infrastructure rather than on site allows faster data exfiltration, as well as the destruction of backups. Adding the insult to the injury, this also allows them to contact their victims via Microsoft teams and request a ransom payment.
“Take advantage of the native Cloud capacities, Storm -0501 quickly exfiltrates large volumes of data, destroys data and backups in the victim’s environment, and requires a ransom – all without counting on the traditional deployment of malware,” wrote Microsoft.
To mitigate the threat, companies should – before doing something else – apply the MFA for all users, in particular for privileged accounts. Then, they should restrict the authorizations of the directory synchronization account, use TPM on the Synchronization Servers Entract Connect and apply the locks of Azure Resources and the Immutability Policy.
Finally, Microsoft advises to activate the defender for the end point and the cloud defender in all tenants, and of course – with the Azure activity newspapers and advanced hunting requests.
