Ransomware attackers hop from on-premises systems to cloud to compromise Microsoft 365 accounts
Storm-0501, an affiliate of several high-profile ransomware-as-a-service outfits, has been spotted compromising targets’ cloud environments and on-premises systems.
“Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environment to cloud environments. They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises,” Microsoft shared last week.
Common tactics and techniques
Storm-0501 is a threat actor that has been active for over three years (at least), saddling target organizations with ransomware provided by the Hive, BlackHat, LockBit and Hunters International gangs. More recently, they’ve begun dropping the Embargo ransomware.
Storm-0501 attack chain (Source: Microsoft)
Most of the tactics and techniques they use are well-known and leveraged by various attackers:
- They achieve initial access by leveraging stolen credentials or n-day exploits against unpatched public-facing applications or devices (e.g., Zoho ManageEngine ServiceDesk Plus, Citrix NetScaler ADC and Gateway, etc.)
- They perform network reconnaissance to pinpoint high-value assets and general domain information like Domain Administrator users and domain forest trust via native Windows tools and commands and open source tools
- Thet deploy a number of remote monitoring and management tools (e.g., AnyDesk, NinjaOne, etc.)
- They engage in a concerted effort to compromise as many credentials they can, by using Impacket, gathering KeePass secrets from the compromised devices, and possibly via brute force
- They use Cobalt Strike (and compromised credentials) to “move” to additional endpoints and servers, including domain controllers
- They interfere with endpoint security solutions, use the Rclone tool to exfiltrate data, and they deploy the Embargo ransomware through scheduled tasks and Group Policy Object (GPO) policies.
Gaining access to cloud enviroments
But the group has also started to leverage Microsoft Entra ID (formerly Azure AD) credentials to access the target’s cloud environment.
They do it by compromising Microsoft Entra Connect Sync accounts (by pilfering it from the server’s disk or remote SQL server), or by hijacking an on-premises user account that has a respective user account in the cloud (i.e., Microsoft Entra ID).
“Microsoft Entra Connect Sync is a component of Microsoft Entra Connect that synchronizes identity data between on-premises environments and Microsoft Entra ID,” Microsoft explained.
“We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts. The compromise of the Microsoft Entra Connect Sync account presents a high risk to the target, as it can allow the threat actor to set or change Microsoft Entra ID passwords of any hybrid account (on-premises account that is synced to Microsoft Entra ID).”
The second approach – hijacking a Domain Admin user account that has a respective user account in Microsoft Entra ID – is also possible.
“In some of the Storm-0501 cases we investigated, at least one of the Domain Admin accounts that was compromised had a respective account in Microsoft Entra ID, with multifactor authentication (MFA) disabled, and assigned with a Global Administrator role,” Microsoft’s threat analysts shared.
While the aforementioned sync service is unavailable for administrative accounts in Microsoft Entra, “if the passwords for both accounts are the same, or obtainable by on-premises credential theft techniques (i.e. web browsers passwords store), then the pivot is possible.”
While MFA enabled on those accounts can stymie attackers, the possibility of compromise still exists, if the attacker can “tamper with the MFA or gain control of a device owned by the user and subsequently hijack its cloud session or extract its Microsoft Entra access tokens along with their MFA claims.”
Once in, Storm-0501 used this access to create a persisting backdoor by creating a new federated domain in the tenant.
“Once a backdoor domain is available for use, the threat actor creates a federation trust between the compromised tenant and their own tenant. The threat actor uses the AADInternals commands that enable the creation of Security Assertion Markup Language (SAML or SAML2) tokens, which can be used to impersonate any user in the organization and bypass MFA to sign in to any application. Microsoft observed the actor using the SAML token sign in to Office 365,” the threat analysts concluded, and provided mitigation and protection guidance, detenctions, hunting queries, and indicators of compromise.