The cybercriminal gang tracked as Storm-0501 is targeting hybrid cloud environments of US organizations in multiple sectors, Microsoft warns.

A financially motivated group relying on commodity and open source tools for ransomware deployments, Storm-0501 has been active since 2021, when it was using the Sabbath ransomware in attacks against US schools.

Since then, the threat actor has been operating as a ransomware-as-a-service (RaaS) affiliate, deploying the Alphv/BlackCat, Hive, Hunters International, LockBit, and Embargo ransomware families.

While the group’s attacks are opportunistic, Microsoft has observed Storm-0501 mounting a multi-stage assault to compromise the hybrid cloud environments of multiple US organizations in the government, law enforcement, manufacturing, and transportation sectors.

The threat actor moved laterally from the compromised organizations’ on-premises environment to their cloud, gaining persistent backdoor access, stealing credentials and data, and deploying ransomware.

“Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environments to cloud environments. They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment,” Microsoft explains.

The threat actor obtained access to victims’ environments from access brokers, by either using compromised credentials or exploiting known vulnerabilities in Citrix NetScaler (CVE-2023-4966), Zoho ManageEngine (CVE-2022-47966), and Adobe ColdFusion (CVE-2023-29300 or CVE-2023-38203).

Following initial access and gaining remote code execution, the threat actor obtained administrative privileges to the targeted device or network, performed reconnaissance, and deployed remote monitoring and management tools (RMMs).

Leveraging the obtained admin privileges, the group also harvested credentials over the network to compromise additional devices and likely performed brute force attacks to gain access to several accounts.

Storm-0501 was seen deploying a Cobalt Strike beacon for lateral movement and compromising a Domain Admin to access the domain controller and deploy ransomware across all connected devices.

In a recent campaign, the threat actor was seen using Microsoft Entra ID credentials to move laterally from the on-premises to the cloud environment, where it created a new federated domain in the tenant, which provided it with persistent backdoor access.

In many instances, after gaining extensive control over the network, Storm-0501 deployed the Embargo ransomware across the victim organization’s network via a scheduled task.

Related: Threat Actors Target Accounting Software Used by Construction Contractors

Related: Researchers Discover Way to Attack SharePoint and OneDrive Files With Ransomware

Related: Shutterfly Employee Data Compromised in Ransomware Attack

Related: Data of Puma Employees Stolen in Kronos Ransomware Attack