A threat group that has been around since at least 2021 is targeting the hybrid cloud environments of government and commercial entities, stealing data and credentials, establishing persistent backdoor access, and deploying ransomware.

The Storm-0501 gang is initially gaining initial access into on-premises systems by exploiting a number of known vulnerabilities Zoho’s ManageEngine suite of IT management software, Citrix’s NetScaler application delivery controller (ADC), or Adobe’s ColdFusion application server, according to Microsoft’s Threat Intelligence unit.

Once in the system, Storm-0501 moves laterally from the victim’s on-prem environment into the cloud. It’s a route that other bad actors, such as Octo Tempest and Manatee Tempest, have used, exploiting the interfaces between on-prem and cloud environments, the Microsoft researchers wrote in a report. It’s something enterprises need to guard against.

“Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environment to cloud environments,” they wrote. “They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises. … As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations.”

As organizations send more of their workloads and data to the cloud, the security threat grows. According to the Thales Group, 47% of all corporate data that is stored in the cloud is sensitive while fewer than 10% of enterprise encrypt 80% or more of their cloud-stored sensitive data. In addition, the company also noted that 31% of those surveyed in a Thales study about cloud security this year cited SaaS applications as a leading area of attack, followed by cloud storage (30%) and cloud management infrastructure (26%).

Recent studies by Thales and the Cloud Security Alliance (CSA) have found that the human factor – such as people falling for phishing and similar social engineering scams – are a key weakness in IT security.

Hybrid Clouds at Risk

Other are seeing the same trend toward hybrid cloud attacks.

“Given the complexity and scale of hybrid cloud environments, we are seeing attackers, including groups like Storm-0501, increasingly target these systems due to their larger attack surface and numerous potential entry points,” said Patrick Tiquet, vice president of security and architecture at Keeper Security. “Weak credentials remain one of the most vulnerable entry points in hybrid cloud environments, and groups like Storm-0501 are likely to exploit them. Security teams should prioritize strengthening password policies by enforcing strong, unique credentials for every account and implementing multi-factor authentication across all systems.”

An Evolving Threat

Storm-0501 initially was seen in 2021 deploying the Sabbath ransomware in attacks on U.S. schools, leaking data in extortion plays, and at times directly messaging school staff and parents, according to Microsoft. The group evolved in a ransomware-as-a-service (RaaS) affiliate, delivering ransomware that was developed by other groups such as Hive, BlackCat – also known as ALPHV – Hunters International, LockBit and – in this most recent campaign – Embargo.

The group, which Microsoft described as financially motivated and adept at using commodity and open source tools in its ransomware attacks, also was detected targeting hospitals in the United States.

In this most recent campaign, the targets include government agencies and companies in such sectors as manufacturing, transportation, and law enforcement. After getting access into a victim’s system and gaining code execution capabilities, the bad actors use common native Windows tools and commands as well as open source tools like OSQuery and – at times, an obfuscated version of ADRecon.ps1 – to search for assets or general domain information. Then they deploy remote monitoring and management (RMM) tools, like Level.io, AnyDesk, and NinjaOne to maintain persistence.

Persistence, Then Ransomware

Storm-0501 used administrative privileges on the compromised local device to access more accounts in the networks through multiple means, particularly Impacket’s SecretsDump module – which takes credentials over the network – to grab credentials from other devices and used those credentials to compromise other devices on the network.

The hackers used Cobalt Strike to move laterally across the network using the stolen credentials, with that lateral movement ending “with a Domain Admin compromise and access to a Domain Controller that eventually enabled them to deploy ransomware across the devices in the network,” the researchers wrote. They also “attempted to evade detection by tampering with security products in some of the devices they got hands-on-keyboard access to.”

That included using PowerShell cmdlets and existing binaries as well as distributed Group Policy Object policies.

“In their recent campaign, we noticed a shift in Storm-0501’s methods,” they wrote. “The threat actor used the credentials, specifically Microsoft Entra ID (formerly Azure AD), that were stolen from earlier in the attack to move laterally from the on-premises to the cloud environment and establish persistent access to the target network through a backdoor.”

After getting global administrator access, they created a new federated domain in the tenant and established a persistent backdoor access to be used later.

The attackers didn’t always deploy ransomware, but when they did, it was Embargo, a new malware written in the Rust programming language. The group behind Embargo lets affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of any ransom paid.

Robust Security Needed

Stephen Kowski, Field CTO at SlashNext Email Security+, said Storm-0501’s campaign highlights the need for strong security measures across hybrid clouds.

“Security teams should prioritize strengthening identity and access management, implementing least privilege principles, and ensuring timely patching of internet-facing systems,” Kowski saids. “Additionally, deploying advanced email and messaging security solutions can help prevent initial access attempts through phishing or social engineering tactics that often serve as entry points for these sophisticated attacks.”