Ethical Hacking News
Microsoft's threat intelligence team has revealed a new and alarming trend in ransomware attacks as Storm-0501, a financially motivated cybercrime crew, broke into a large enterprise's on-premises and cloud environments. The attackers used cloud-native capabilities to rapidly exfiltrate large volumes of data, destroy data and backups within the victim environment, and demand ransom - all without relying on traditional malware deployment.
The Storm-0501 ransomware crew breached a large enterprise's on-premises and cloud environments, exfiltrating data and destroying backups. The attackers used cloud-native capabilities to demand ransom without traditional malware deployment. They escalated privileges across compromised environments using credential-dumping techniques like DCSync attacks. Once with MFA turned off, they reset the user's on-prem password and registered a new, attacker-controlled MFA method for lateral movement. The attackers gained full control over the cloud domain, registering a threat actor-owned Entra ID tenant as a trusted federated domain. They invoked the Microsoft.Authorization/elevateAccess/action operation to achieve top-level Entra ID Privileges and access to all Azure subscriptions. Mitigation measures include reducing visibility gaps in environments, deploying additional security measures like endpoint security products, and using Entra Connect Sync servers with endpoint security.
Microsoft's threat intelligence team has recently exposed a new and alarming trend in ransomware attacks, as Storm-0501, a financially motivated cybercrime crew, broke into a large enterprise's on-premises and cloud environments. The attackers exfiltrated and destroyed data within the Azure environment, then contacted the victim via a compromised Microsoft Teams account, demanding a ransom payment for the stolen files.
This attack, according to Redmond, illustrates a scary shift in ransomware tactics, which are moving away from traditional endpoint-based attacks and toward cloud-based ransomware. The crew leveraged cloud-native capabilities to rapidly exfiltrate large volumes of data, destroy data and backups within the victim environment, and demand ransom - all without relying on traditional malware deployment.
The naming convention Microsoft uses for emerging threat groups is "Storm", and in September 2024, the Windows giant detailed how Storm-0501 extended its on-premises ransomware operations into hybrid cloud environments. In these earlier attacks, the crew compromised Active Directory environments and then pivoted to Microsoft Entra ID, escalating privileges on hybrid and cloud identities to gain global admin-level privileges before implanting backdoors and, in some cases, deploying ransomware.
In the more recent attack, Storm-0501 again escalated privileges and abused identities across the compromised environment to jump from on-premises to cloud. They also used a DCSync attack, which is a credential-dumping technique that allows an attacker to impersonate a domain controller by abusing the Directory Replication Service Remote Protocol and, in this role, retrieve sensitive Active Directory data, such as password hashes for any user in the domain.
Using these stolen credentials, the intruders attempted to sign in as several privileged users but were ultimately blocked because the accounts had multi-factor authentication (MFA). So they went back to Active Directory and compromised a second Entra Connect server linked to a different Entra ID tenant and Active Directory domain, again initiating a DCSync attack. This time around, Storm-0501 was able to identify a non-human synced identity assigned a global admin role in Microsoft Entra ID on that tenant. And this one didn't have MFA turned on.
The digital thieves next reset the user's on-prem password, which synced (via Entra Connect Sync) to the cloud ID of that user. The attackers then registered a new, attacker-controlled MFA method, and used this account to move laterally between different devices in the network, finally finding a hybrid-joined server that allowed them to sign in to the Azure portal using the global admin account.
From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain. The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud.
These goals included first registering a threat actor-owned Entra ID tenant as a trusted federated domain, which essentially created a backdoor for Storm-0501 to use for persistent access. "The backdoor enabled Storm-0501 to craft security assertion markup language (SAML) tokens applicable to the victim tenant, impersonating users in the victim tenant while assuming the impersonated user's Microsoft Entra roles," the threat hunters explained.
The tenant's Entra ID and Azure environments are connected, and the attackers already had top-level Entra ID Privileges. After invoking the Microsoft.Authorization/elevateAccess/action operation using the compromised Microsoft Entra global administrator account, Storm-0501 achieved a User Access Administrator Azure role and this allowed access to all of the enterprise's Azure subscriptions and data stored therein.
For data theft and beyond, from here, they stole and deleted a bunch of data, and then extorted the victim for a ransom payment, contacting them via a compromised Teams account.
Luckily, Microsoft also suggests several mitigation measures that organizations can take to prevent becoming another one of Storm-0501's cloud ransomware victims.
Some recommendations include ensuring that only one tenant had Microsoft Defender for Endpoint deployed, devices from multiple Active Directory domains were onboarded to this single tenant's license. This helps in reducing the visibility gaps in your environment.
Additionally, it is recommended that Active Directory domains are synced to several Entra ID tenants using Entra Connect Sync servers, and in some cases, one domain was synced to more than one tenant, making identity management a difficult task. Organizations should also consider deploying additional security measures such as endpoint security products for their Entra Connect Sync servers.
For on-premises attacks, the criminals checked the endpoints for Defender and then compromised an Entra Connect Sync server that was not using the endpoint security product. "We assess that this server served as a pivot point, with the threat actor establishing a tunnel to move laterally within the network," Microsoft said.
The crew used Evil-WinRM, a post-exploitation tool that abuses PowerShell over Windows Remote Management (WinRM) for remote code execution.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Shadow-in-the-Cloud-How-Storm-0501-Revealed-the-Vulnerabilities-of-Hybrid-Cloud-Environments-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/08/27/storm0501_ransomware_azure_teams/
https://www.msn.com/en-us/technology/cybersecurity/the-intruder-is-in-the-house-storm-0501-attacked-azure-stole-data-demanded-payment-via-teams/ar-AA1LkUJC
https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
Published: Wed Aug 27 17:27:30 2025 by llama3.2 3B Q4_K_M
