September 27, 2024 at 11:11AM
Microsoft warns that the ransomware threat actor Storm-0501 is now targeting hybrid cloud environments and has expanded its tactics to compromise all victim assets. The group has targeted various organizations in the United States and uses various methods to gain access, move laterally, steal data, and deploy the Embargo ransomware.
Key takeaways from the meeting notes are:
1. Microsoft warned about the Storm-0501 threat actor targeting hybrid cloud environments and expanding its strategy to compromise various organizations in the United States, including hospitals, government, manufacturing, transportation, and law enforcement agencies.
2. The attack flow involves gaining access to cloud environments by exploiting weak credentials and privileged accounts, with the goal of stealing data and executing a ransomware payload.
3. Storm-0501 uses stolen credentials and exploits known vulnerabilities, such as CVE-2022-47966, CVE-2023-4966, and possibly CVE-2023-29300 or CVE-2023-38203, to move laterally and compromise cloud-based Microsoft Entra ID.
4. The threat actor plants a persistent backdoor by creating a new federated domain within the Microsoft Entra tenant, allowing them to authenticate as any user, and deploys the Embargo ransomware on victim’s on-premise and cloud environments.
5. The Embargo ransomware group uses Rust-based malware for their ransomware-as-a-service (RaaS) operation and has successfully breached organizations like American Radio Relay League and Firstmac Limited, receiving ransom payments in return for decryptors or leaking stolen data.
6. It was noted that the threat actor may not always resort to ransomware distribution and might only maintain backdoor access to the network in some cases.
These takeaways capture the essence of the meeting and provide a clear understanding of the current threat landscape and recent attack activities.