Microsoft Threat Intelligence today released a report on the financially motivated group Storm-0501, warning that the threat actor has sharpened its ransomware tactics by exploiting hijacked privileged accounts to move seamlessly between on-premises and cloud environments, exploiting visibility gaps to encrypt data and carry out mass deletions of cloud resources, including backups.
“They’re not just encrypting the data; they’re deleting backups so that you can’t say, ‘Oh, that’s fine, we’ll recover from this, we’re not going to pay a ransom,’” Sherrod DiGrippo, director of threat intelligence strategy at Microsoft, tells CSO. “It’s a truly brutal ransomware attack chain to play.”
Given how this starkly intrusive approach ups the extortion ante, CISOs are well-advised to review and restrict the number of privileged accounts they have, revisit their ransomware playbooks, and reexamine whether their on-premises assets should be moved to the cloud.
How the attack chain works
Microsoft recounts a recent campaign in which Storm-0501 compromised a large enterprise composed of multiple subsidiaries, each operating its own Active Directory domain. All the domains are interconnected through domain trust relationships, enabling cross-domain authentication and resource access.
Only one of these tenants had Microsoft Defender for Endpoint deployed. Devices from multiple Active Directory domains were onboarded to this single tenant’s license, which created visibility gaps across the environment. Microsoft notes that the threat actor checked for the presence of Defender for Endpoint services, suggesting a deliberate effort to avoid detection by targeting non-onboarded systems.
Storm-0501 then moved laterally across the premises using Evil-WinRM, a post-exploitation tool that utilizes PowerShell over Windows. The group then performed a DCSync attack, a technique that abuses the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller Remote Management (WinRM) for remote code execution, which gave it the ability to request password hashes for any user in the domain, including privileged accounts.
Although Storm-0501 had valid credentials, it didn’t have the necessary second MFA factors, nor was it able to satisfy policy conditions. They could, however, leverage on-premises control to pivot across Active Directory domains and find a non-human synced global admin identity that lacked MFA to reset the user’s on-premises password, sign in to the Azure portal as a global admin account, and achieve complete control over the domain while establishing a persistence mechanism.
Microsoft says Storm-0501 created a backdoor using a maliciously added federated domain, enabling them to sign in as almost any user, map out the entire environment, and understand its protections. The threat actor then targeted the organization’s Azure Storage accounts, exfiltrating data to its own infrastructure.
After exfiltrating all the data, the group then mass-deleted Azure resources, including backups. For those files that could not be deleted due to Azure resource locks and Azure Storage immutability policies, the threat actor just encrypted everything in the cloud and began the extortion phase, contacting the victims using the Microsoft Teams account of one of the previously compromised users.
A holistic approach to put organizations under pressure
Microsoft’s DiGrippo emphasizes that the unique aspect of this new method is that it leverages hybrid environments that have both on-prem and cloud assets. “They put you in a situation where you’re under a significant amount of pressure because they’ve escalated privileges for themselves on both your on-prem and your cloud environment, and then they’re destroying your backups, encrypting what data is left, and telling you essentially, you can’t recover from this,” she says. “You’ll need to pay this ransom or you’re shut down permanently.”
The on-premises equipment is key to Storm-0501 pulling off this attack chain. “When the threat actor can get into those because they’re vulnerable, pivot into the cloud, the threat actor really now has the keys to the kingdom,” DiGrippo says.
“This is not what we traditionally see with most threat actors,” DiGrippo emphasizes. “They’re getting into the cloud environment, they’re getting into the on-prem environment, they’re deleting the backups, they’re going through those user accounts, finding additional user accounts that they can then breach and obtain persistent access within the environment. It’s a multipronged attack that puts the organization in almost a no-win situation.
What CISOs should do
DiGrippo says that because Storm-0501 exploits overly privileged accounts, using least privilege access is “super important” for CISOs in helping ward off this attack.
She also thinks CISOs should know what their ransomware playbook is and understand under what circumstances they will pay ransoms and who is authorized to make that decision, who must be involved, and run those playbooks as practice multiple times a year.
Finally, security leaders should consider “doing a full audit of your on-prem environments and understanding what that risk really presents to your organization,” DiGrippo says. “As cloud transformations have been completed over the last several years, a lot of organizations just sort of said, ‘Oh, these are our on-prem, we can’t move that, it’s super-legacy.’”
“Now is the time to really understand what you should be moving to the cloud and what you should be hardening,” DiGrippo warns. “The biggest lesson for me is that these hybrid environments are incredibly vulnerable and incredibly important.”
No Responses