Microsoft sheds light on the activities of Storm-0501, a threat actor known for deploying ransomware attacks in hybrid cloud environments. The group has expanded its operations to target both on-premises and cloud resources, posing significant risks to organizations utilizing hybrid infrastructures.
Storm-0501 employs several sophisticated techniques to compromise systems. For initial access, they leverage phishing campaigns and exploit vulnerabilities in public-facing applications. Once inside the network, the group uses tools like Mimikatz to steal credentials, enabling lateral movement. Persistence is achieved through tactics such as creating scheduled tasks and new user accounts, ensuring continued access to compromised systems. Additionally, they utilize command-and-control (C2) frameworks like Cobalt Strike to maintain communication with infected machines. Before deploying ransomware, Storm-0501 exfiltrates sensitive data and employs custom encryption tools to lock files, increasing the pressure on victims to pay ransoms.
The group's attacks specifically target hybrid cloud environments. They focus on compromising virtual machines (VMs) to disrupt services and encrypt critical data. Cloud storage is another key target, with the aim of encrypting cloud-hosted data to maximize operational impact. Furthermore, Storm-0501 exploits Identity and Access Management (IAM) systems to escalate privileges and move laterally across on-premises and cloud resources, showcasing their ability to exploit misconfigurations in IAM systems.