Microsoft flags dangerous cybercriminals ransacking organizations - and then letting you know about it via Teams

News
By published

A new malware Storm is brewing in the cloud

Cloud, networking and internet
(Image credit: Shutterstock)
  • Microsoft warns of Storm-0501, a ransomware group targeting mostly cloud platforms
  • This approach allows them to be faster and more efficient
  • There are ways to defend against this threat, so stay alert

Microsoft is warning users about a ransomware operator that is more interested in compromising cloud infrastructure than on-premise devices since it’s faster, more efficient, and more disruptive.

In a new report, the company highlighted Storm-0501, a financially motivated group observed to go primarily for hybrid cloud environments. The group would first compromise on-premise Active Directory domains via domain trust relationships, and then use Entra Connect Sync servers to pivot towards the cloud and into Microsoft Entra ID tenants.

From there, the group would exploit a non-human synced identity with Global Admin rights, and no multi-factor authentication (MFA) set up, to gain full cloud access which, in turn, allowed them to create a backdoor using malicious federated domains, and by abusing SAML tokens.

Weathering the storm

Compromising Azure this way is an alarming turn of events, since crooks can gain owner role across subscriptions, map critical assets using AzureHound, exfiltrate data via AzCopy CLI, delete backups and storage using Azure operations and, in some instances, even encrypt the files using custom Azure Key Vault keys.

Attacking the cloud rather than on-prem infrastructure allows for faster data exfiltration, as well as the destruction of backups. Adding insult to injury, it also allows them to reach out to their victims via Microsoft Teams to and demand a ransom payment.

"Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom — all without relying on traditional malware deployment," Microsoft wrote.

To mitigate the threat, businesses should - before doing anything else - enforce MFA for all users, especially for privileged accounts. Then, they should restrict Directory Synchronization Account permissions, use TPM on Entra Connect Sync Servers, and apply Azure resource locks and immutability policies.

Finally, Microsoft advises enabling Defender for Endpoint and Defender for Cloud across all tenants, and naturally - monitoring with Azure activity logs and advanced hunting queries.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.