Microsoft sees Storm-0501 ransomware as a threat to hybrid cloud environments
Microsoft warns of the Storm-0501 ransomware group, which is now apparently targeting hybrid cloud environments.
The ransomware of the ransomware group known as Storm-0501 attempts to compromise hybrid cloud environments.
(Image: Sashkin/Shutterstock.com)
The ransomware of the group now known as "Storm-0501" first came to light in 2021. The attacker group, which initially operated under the name "Sabbath", targeted critical IT infrastructures in North America. At the time, it managed to infect servers of public institutions and encrypt data areas there. The attackers then went public via social media channels and offered keys for decryption in exchange for a ransom.
As the SecurityIntelligence portal reports, the perpetrators even contacted teachers, students and employees of the authorities at one affected school in 2021 to demand a ransom of several million US dollars. After analyzing the current attacks, Microsoft now sees a targeted shift of ransomware attacks to hybrid cloud environments.
Hijacking of local user accounts
As Microsoft reports in its security blog, a multi-stage attack by Storm-0501 was observed in hybrid cloud environments. This is an IT infrastructure that combines private cloud services with public ones and enables the exchange of data and applications between the two worlds. Public authorities and companies often use hybrid cloud environments to store sensitive or business-critical data in the private cloud while running less sensitive applications and data in the more cost-effective public cloud.
Recent attacks have targeted US government or agency data, as well as data from manufacturing and transportation companies and law enforcement agencies in the US. The attackers gained access to the cloud environments by exploiting insecure credentials of privileged accounts.
Storm-501 "took advantage of admin privileges on the local devices it compromised during initial access and attempted to gain access to more accounts within the network through several methods.", Microsoft said. "The threat actor primarily utilized Impacket’s SecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices to obtain credentials" The attackers then use the compromised credentials to access even more devices to extract more login credentials.
"Once the attackers gained sufficient control over the network and successfully extracted confidential files and were able to move around the cloud environment, they deployed their ransomware across the entire organization," Microsoft commented on the observed approach.
In order to secure its own networks and cloud environments, Microsoft provides a series of indicators in the blog post that provide clues whether a compromise has occurred. Microsoft refers to the latest security research results in the Microsoft Threat Intelligence Blog.
(psz)
