InfoSecBulletin Cybersecurity for mankind
Microsoft cybersecurity researchers found that the “Storm-0501” ransomware group is targeting hybrid cloud environments.
Storm-0501 Attacking Cloud Environments:
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
Alert
Trend Micro Apex One Flaw Allow Attackers to Inject Malicious Code
Storm-0501 is a ‘financially motivated’ threat group that has launched a sophisticated ‘multi-stage attack’ targeting “hybrid cloud environments” across various ‘U.S. sectors’ and ‘critical infrastructure.’
The group exploited vulnerabilities in Zoho ManageEngine, Citrix NetScaler, and ColdFusion 2016 to access on-premises systems.
Then for lateral movement and credential access, they used tools such as “Impacket’s SecretsDump” and “Cobalt Strike.”
The attackers pivoted from “on-premises” to “cloud environments” by compromising “Microsoft Entra Connect Sync” accounts, which allows them to manipulate the “Microsoft Entra ID” (formerly Azure AD) identities.
They used ‘Rclone’ disguised as ‘Windows binaries’ to exfiltrate data and deployed various ransomware types, including “Hive,” “BlackCat,” and “LockBit.”
The actions of Storm-0501 emphasize the increasing security risks in hybrid cloud environments, showing the need for strong protections in both on-premises and cloud systems.
This group targets “accounts with disabled MFA and Global Administrator roles.”
The attackers use various techniques to create persistent backdoors and here below:
Password synchronization exploitation
Cloud session hijacking
Leveraging the AADInternals PowerShell module
They can change managed domains to federated ones, alter SAML tokens, and skip MFA.
In some cases, the threat actors deploy “Embargo ransomware,” it’s a Rust-based strain that makes use of advanced encryption and it’s distributed via Group “Policy Objects (GPOs)” and “scheduled tasks.”
The ransomware encrypts files, changes the extensions to “.partial,” “.564ba1,” or “.embargo,” and employs double extortion tactics.
Mitigations:
Here below we have mentioned all the mitigations:-
Use the least privilege and audit privileged accounts.
Enable Conditional Access for device compliance and trusted IPs.
Restrict Entra ID sync accounts from untrusted IPs.
Use phishing-resistant authentication for critical apps.
Follow best practices for Active Directory Federation Services.
Refer to Azure AD security best practices.
Turn on Defender for Cloud Apps alerts.
Prevent bypassing Entra MFA when federated.
Block sign-ins to non-federated domains.
Enable Entra ID protection for risky sign-ins.
Use tamper protection to secure services.
Block unapproved IT tools with AppLocker.
Run EDR in block mode for extra protection.
Enable automated investigation in Defender.
Octo2: European Banks Already Under Attack by New Malware varient
