Storm-0501’s Impact on On-Prem and Cloud Infrastructure

A threat actor tracked by Microsoft as Storm-0501 has demonstrated capabilities to impact compromised organizations' on-prem and Azure cloud environments. Active since 2021, this actor is linked to the Sabbath (aka 54bb47h) ransomware. Their financial motivations have led to affiliations with other major ransomware strains including Hive, ALPHV (aka BlackCat), Hunters International, LockBit, and most recently, Embargo ransomware. Storm-0501 leverages both commodity and open-source tools to conduct financially motivated ransomware operations across several U.S. business sectors, impacting sectors such as education, government, healthcare, law enforcement, manufacturing, and transportation. Their partnerships with initial access brokers Storm-0249 and Storm-0900 provide the threat actor with credentials to gain initial access to targeted environments.

Microsoft’s investigations reveal that Storm-0501 is capable of exploiting vulnerabilities such as Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and potentially ColdFusion 2016 (CVE-2023-29300 or CVE-2023-38203) to gain initial access. Following this, a discovery phase is initiated. The threat actor employs PowerShell scripts—an obfuscated version of ADRecon.ps1, referred to as obfs.ps1 or recon.ps1—for Active Directory reconnaissance, alongside common native Windows tools and commands such as systeminfo.exe, net.exe, nltest.exe, and tasklist.exe. The strategic use of open-source tools like ossec-win32 and OSQuery allows for a thorough examination of the compromised endpoint. As the intrusion progresses, remote monitoring and management tools such as Level.io, AnyDesk, and NinjaOne are deployed to fortify their access and control. Impacket’s SecretsDump module is utilized to exfiltrate credentials; this capability paves the way to achieving Domain Admin status and accessing Domain Controllers, ultimately setting the stage for widespread ransomware deployment across networked devices. "In cases we observed, the threat actor’s lateral movement across the campaign ended with a Domain Admin compromise and access to a Domain Controller that eventually enabled them to deploy ransomware across the devices in the network," Microsoft reports. For data exfiltration, Rclone was utilized; however, the binary was renamed to native Windows binaries such as svhost.exe or scvhost.exe in an attempt to evade detection, masquerading as a legitimate service.

Outlining the threat to the cloud vector, Microsoft notes that Storm-0501 achieved access to Microsoft Entra ID through the credentials they gathered from their attack on-prem. Storm-0501 was observed strategically leveraging Microsoft Entra Connect Sync to orchestrate their on-premises to cloud pivot. Microsoft Entra Connect Sync, formerly known as Azure AD Connect, functions as a synchronization feature for on-premises directory services with cloud-based Microsoft Entra identities, allowing seamless user authentication across environments. According to Microsoft, "We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts. We assess that the threat actor was able to achieve this because of the previous malicious activities described in this blog post, such as using Impacket to steal credentials and DPAPI encryption keys, and tampering with security products."

Storm-0501 compromised service accounts associated with Microsoft Entra Connect Sync that are crucial for the synchronization process. These accounts, which include one in the on-premises Active Directory and another in the cloud-based Microsoft Entra, handle synchronization tasks. Once these accounts were compromised, Storm-0501 manipulated the synchronization process to their advantage, using stolen credentials to directly access Microsoft Entra or by resetting passwords that would sync up to the cloud environment, allowing unfettered access across platforms. However, exploitation of this method requires the absence of various security controls, as Microsoft states: "a compromised on-premises user account not assigned with an administrative role in Microsoft Entra ID and synced to the cloud without security boundaries such as MFA or Conditional Access."

Storm-0501's techniques also included the use of AADInternals—a toolset favored for testing and attacking Microsoft Entra environments. By setting or changing passwords via the AADInternals’ Set-AADIntUserPassword cmdlet for compromised directory synchronization accounts, the attackers maintained their foothold within the cloud environment. Storm-0501 demonstrated a methodical escalation strategy within the cloud by manipulating the "ImmutableId" and "NextSigningCertificate" properties. These elements are critical for maintaining identity consistency across federated domains, which the attackers exploited to create backdoor access. By converting a managed domain to a federated one and introducing their own root certificates, the attackers could then issue tokens to authenticate as any user, effectively bypassing multifactor authentication safeguards.

This multifaceted attack not only allowed Storm-0501 to extend their reach from local systems to cloud-based assets but also set the stage for deploying ransomware across the compromised network. Ransomware deployment is not always the end-goal of Storm-0501's intrusions as the actor's focus could also be to ensure they maintain persistent access. Among concerning threat actors capable of targeting hybrid environments, Microsoft warns of groups like "Octo Tempest and Manatee Tempest targeting both on-premises and cloud environments and exploiting the interfaces between the environments to achieve their goals." Monitoring and proper configurations of cloud environments are necessary for effective defense. Specific defensive strategies recommended include the implementation of MFA, conditional access policies, implementing least privileged access, and following Microsoft's recommendation to "deploy Microsoft Entra Connect on a domain-joined server."