A Malicious Hacker Erases Stored Files and Disaster Recovery Copies Following Data Theft on Azure

In a chilling demonstration of modern cyber threats, a notorious threat actor known as Storm-0501 has carried out a ransomware attack on a large enterprise with multiple subsidiaries, each operating its own Active Directory domain in a hybrid cloud environment.

The attack, which took place in September 2024, marks an extension of Storm-0501's on-premises ransomware operations into hybrid cloud environments, as reported by Microsoft in September 2024. The specific company name has not been disclosed.

Storm-0501, a financially motivated group, abused the Azure Owner role to steal the access keys for Azure Storage accounts that had key access enabled. This allowed them to compromise the enterprise's Azure environment.

The group employed a DCSync attack, a technique that abuses the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller. This enabled them to identify a non-human synced identity with the Global Administrator role in Microsoft Entra ID, which lacked any registered Multi-Factor Authentication (MFA) method.

Following successful authentication, Storm-0501 created a backdoor using a maliciously added federated domain, enabling them to sign in as almost any user. They then assigned themselves the Owner Azure role over all the Azure subscriptions available by invoking the Microsoft.Authorization/roleAssignments/write operation.

This provided Storm-0501 with unrestricted access to the enterprise's Azure resources. They worked to access the organization's Azure portal via the compromised global admin account, allowing them to authenticate against Entra ID as that user via the new password, also registering a new MFA method under their control.

After exposing the Azure Storage accounts, Storm-0501 exfiltrated the data contained in those accounts to their own infrastructure by abusing the AzCopy Command-line tool (CLI). They also reset the user's on-premises password, which was then synced to the cloud identity of that user via the Entra Connect Sync service.

The tactics used by Storm-0501 were detailed in a blog published by Microsoft Threat Intelligence on August 27, 2021. The group's targeting is opportunistic and its victims include schools and healthcare organizations. In 2024, they were found to be using Embargo ransomware in their attacks.

Storm-0501 has shown a remarkable ability to adapt its tactics since its emergence in 2021. This latest attack serves as a stark reminder of the evolving nature of cyber threats and the importance of robust security measures in hybrid cloud environments.

A Malicious Hacker Erases Stored Files and Disaster Recovery Copies Following Data Theft on Azure