- Microsoft warns of Storm-0501, a ransomware group aimed mainly to cloud platforms
- This approach allows them to be faster and more efficient.
- There are ways to defend against this threat, so keep alert
Microsoft warns users about a ransomware operator that is more interested in compromising cloud infrastructure than local devices, since it is faster, more efficient and more harmful.
In a new report, the company highlighted Storm-0501, a financial motivation group observed to be mainly for hybrid cloud environments. The First Group would compromise the domain directory domains through the domain trust relationships, and then use the ENGINECT synchronization servers to pivot towards the cloud and in the tenants of Microsoft enters ID.
From there, the group would exploit a non -human synchronized identity with global administration, and multifactor authentication (MFA) was not configured, to obtain full cloud access that, in turn, allowed them to create a rear door with malicious federated domains, and abusing Saml tokens.
Storm weathering
To compromise Azure in this way is an alarming turn of the events, since criminals can obtain the role of owner in subscriptions, assign critical assets using Azurehound, extinguished the data through Azcopy Cli, eliminate backup and storage copies using Azure operations and, in some cases, even engaged the files using keys of the Azure Azure key.
Attacking the cloud instead of infrastructure at first allows faster data feft, as well as the destruction of backup copies. Adding insult to the injury, it also allows them to communicate with their victims through Microsoft equipment and demand a rescue payment.
“Take advantage of the native cloud capabilities, Storm-0501 quickly exfiltrates large volumes of data, destroys data and backups within the victims of the victim and demands the rescue, all without depending on the traditional implementation of malware,” Microsoft wrote.
To mitigate the threat, companies must, before doing anything else, enforce MFA for all users, especially for privileged accounts. Then, they must restrict the permissions of the Board of Synchronization account, use TPM on the Connect Synchronization Servers and apply Azure Resource Blocks and Immutability Policies.
Finally, Microsoft advises to enable the defender for the end point and the defender for the cloud in all tenants, and naturally, monitoring with blue activity records and advanced hunting consultations.
