Former affiliate upgrades to ransomware gang and launches its own attacks


Microsoft has discovered a new threat actor that previously operated as an affiliate for other ransomware-as-a-service gangs, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. Now, they’re trying to do something of their own.

A new threat actor, labeled Storm-0501, was observed targeting hybrid cloud environments using open-source tools. Their main goal is, no surprise here, financial gains.

Recently, Storm-0501 launched multi-staged attacks in the US, compromising hybrid cloud environments and moving laterally from on-premises devices to the cloud. This led to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment.

ADVERTISEMENT

The gang targeted government, manufacturing, transportation, and law enforcement organizations. Recently, the cybercriminals have also started targeting hospitals in the US.

The threat actor has been active since at least 2021. In opportunistic attacks, it deployed multiple ransomware payloads developed and maintained by other gangs.

To gain initial access, Storm-0501 uses stolen credentials and known exploits to find over-privileged accounts. Eventually, they move to the cloud, exploiting the interfaces between the environments.

“As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations,” the report by Microsoft Threat Intelligence warns.

In a recent campaign, Storm-0501 was observed exploiting known vulnerabilities in Zoho ManageEngine, Citrix NetScaler, and ColdFusion 2016 applications. Their targets’ operation security practices were insufficient.

Storm-0501 relies on common native Windows tools and commands, such as systeminfo.exe, net.exe, nltest.exe, and tasklist.exe in the discovery phase of an attack. It also employs open-source reconnaissance tools and remote management tools, such as AnyDesk.

Taking advantage of admin privileges, the threat actor steals credentials to move laterally across the network until it reaches a Domain Controller and deploys ransomware across the devices in the network.

attack-chain
ADVERTISEMENT

“Once the threat actor achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, the threat actor then deployed the Embargo ransomware across the organization,” Microsoft said.

Embargo ransomware is a new strain developed with Rust. It uses advanced encryption methods and operates under the RaaS model. However, Storm-0501 did not always resort to ransomware distribution and, in some cases, only maintained access to the network.

Microsoft tightened security on Microsoft Entra ID (formerly Azure AD), a cloud identity and access management solution, which hackers abused to extract credentials. The tech giant shared many recommendations, such as enforcing strong phishing-resistant authentication practices, limiting access for synchronization accounts, and leveraging EDR tools.