Ransomware gang using stolen Microsoft Entra ID creds to bust into the cloud

Microsoft's latest threat intelligence blog issues a warning to all organizations about Storm-0501's recent shift in tactics, targeting, and backdooring hybrid cloud environments.

Using a bevy of tactics to achieve its goals, Storm-0501 has a tendency to take control of entire networks via cloud compromises. Members first gain access to on-prem environments before pivoting to the cloud, implanting backdoors for persistent access, and deploying ransomware.

Active since 2021, Storm-0501 is still regarded as an emerging group in Microsoft's view, hence the "Storm" naming convention reserved for groups still in development.

Despite its fledgling status, the group has been prolific in carrying out ransomware attacks as a member of the LockBit, ALPHV, Hive, and Hunters International ransomware affiliate programs. 

More recently, Microsoft spotted it deploying Embargo's ransomware payload, and separately compared it to more established, financially motivated groups such as Octo Tempest (Scattered Spider) and Manatee Tempest (Evil Corp).

A typical Storm-0501 attack is fairly standard – not a lot of surprises. Initial access brokers (IABs) are used for, well, initial access in many cases, while vulnerabilities in public-facing servers are also exploited when needed.

The group targets over-privileged accounts during this phase and once its members gain control of these, they typically utilize Impacket's SecretsDump module to scan for additional credentials that can be used to compromise more accounts. This process is repeated until numerous accounts are under the attackers' control, and in an ideal world for them, this would include multiple Domain Admin accounts.

The old faithful Cobalt Strike is used for lateral movement, which often ends in access to the domain controller and, subsequently, data theft and ransomware deployment.

Recent attacks have given researchers cause for concern, however. During the credential-gathering phase, Storm-0501 used stolen credentials for Entra ID to pivot from on-prem to the cloud environment where they would proceed to implant a backdoor.

The attackers employed two different methods to gain control of Entra ID, the first being compromising Entra Connect Sync service accounts, the credentials of which are saved in an encrypted form on the server's disk or remote SQL server.

• Google files first ever complaint with European Commission against Microsoft
• So how's Microsoft's Secure Future Initiative going?
• Admins using Windows Server Update Services up in arms as Microsoft deprecates feature
• Major ISP bungles settings, causing Microsoft 365, Azure outage

"We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts," Microsoft wrote.

"We assess that the threat actor was able to achieve this because of the previous malicious activities described in this blog post, such as using Impacket to steal credentials and DPAPI encryption keys, and tampering with security products.

"The compromise of the Microsoft Entra Connect Sync account presents a high risk to the target, as it can allow the threat actor to set or change Microsoft Entra ID passwords of any hybrid account (on-premises account that is synced to Microsoft Entra ID)."

Another tactic Storm-0501 has used to successfully pivot into the cloud is to compromise an on-prem Domain Admin account that has an equivalent in the cloud that's not protected with MFA and also carries a global administrator role.

The sync service isn't available for these kinds of accounts in Entra, so an attacker would have to be lucky enough to find an account that's both unprotected by MFA and also uses the same password as the on-prem account.

Having MFA enabled would make this avenue of attack much more complex and less likely to be successful. In this case, an attacker would have to either tamper with the MFA protection itself or take the extra steps to compromise a user's device, and either hijack its cloud session or extract Entra access tokens.

Whichever route Storm-0501 takes, it often leads to backdoors being implanted for persistent access by creating a federated domain, allowing it to authenticate as any Entra ID tenant user.

Once the target is thoroughly compromised and its data lifted, that's when the ransomware comes in, or doesn't. While Storm-0501 is now opting for Embargo's payload, which follows the typical double extortion model, not all of its attacks lead to ransomware deployment. Some just stopped after the backdoor was established, Microsoft said in its blog, which also includes threat-hunting tips and an extensive collection of indicators of compromise. ®