Hackers Erase Data and Copies from Azure Cloud Storage After Stealing Information

A ransomware attack on a large enterprise's Microsoft Azure environment has been attributed to a threat actor known as Storm-0501. The attack, which targeted schools, healthcare organisations, and other large enterprises, was opportunistic in nature.

Storm-0501 initially compromised the enterprise, which was composed of multiple subsidiaries, each operating its own Active Directory domain. The threat actor gained domain administrator privileges in the first tenant and deployed Evil-WinRM for lateral movement. This allowed them to pivot from on-premises to the cloud in both tenants.

The attacker identified a non-human synced identity that was assigned with the Global Administrator role in Microsoft Entra ID. Leveraging this, they compromised an Entra Connect Sync server for lateral movement and performed a DCSync attack to impersonate a domain controller. This account, which lacked any registered Multi-Factor Authentication (MFA) method, enabled them to reset the user's on-premises password, which was then legitimately synced to the cloud identity of that user via the Entra Connect Sync service.

This allowed the threat actor to authenticate against Entra ID as that user via the new password, also registering a new MFA method under their control. Microsoft found that Storm-0501 assigned itself the Owner Azure role over all the Azure subscriptions available by invoking the Microsoft.Authorization/roleAssignments/write operation.

In the subsequent stages, the attacker worked to access the organisations Azure portal via the compromised global admin account. They initiated the mass-deletion of the Azure resources containing the victim organisation data, using multiple Azure resource providers. The group used cloud features and capabilities to quickly exfiltrate and transmit large amounts of data. After exposing the Azure Storage accounts, the actor exfiltrated the data contained in those accounts to their own infrastructure by abusing the AzCopy Command-line tool (CLI).

One of the ransomware payloads used by Storm-0501 was Embargo ransomware in 2024 attacks. The group abused the Azure Owner role to steal the access keys for Azure Storage accounts that had key access enabled. They created a backdoor using a maliciously added federated domain, enabling them to sign in as almost any user.

The attack involved destroying data, backups, and encrypting data. This incident serves as a reminder of the importance of securing Azure environments, especially with the increasing trend of ransomware attacks targeting cloud infrastructure. The group, financially motivated and having adapted its tactics multiple times since its emergence in 2021, first used their ransomware tactics in an Azure environment in March 2023.

Hackers Erase Data and Copies from Azure Cloud Storage After Stealing Information