InfoSecBulletin Cybersecurity for mankind
Storm-0501 has erased data and backups after stealing information from a victim’s Microsoft Azure environment in a new cloud based ransomware attack. Microsoft Threat Intelligence recently provided details of the tactics deployed by the actor tracked as Storm-0501 in a blog published on August 27.
Sherrod DeGrippo, director of Microsoft threat intelligence strategy told “This technique is likely to be adopted by other threat actors on a broader basis,”.
3 critical vulnerabilities affect Hikvision product: Patch Now
Salt Typhoon To Exploit Cisco, Palo Alto, Ivanti Flaws to Breach 600 Org Globally
Storm-0501 Deletes Data and Backups Post-Exfiltration on Azure in Hybrid Cloud Attacks
Breaking the Passkey: SquareX Discloses Major Passkey Vulnerability at DEF CON 33
(CVE-2025-20241)
Cisco Warns of High-Severity Flaw in Nexus Switches
Malaysia Launches World’s First AI-powered Bank
ShadowSilk Hits 35 Org in Asia and APAC Using Telegram Bots
Citrix patches critical NetScaler RCE flaw exploited in zero-day attacks
Why SIEM Rules Fail and How to Fix: Insights from 160M Attack Simulations
CVE-2025-9074
Docker Fixes Critical Desktop flaw With CVSS Score 9.3
Storm-0501 Pivots to the Cloud:
In a recent attack, Storm-0501 breached a large company with multiple branches, each managing its own Active Directory.
Post compromise activity impacted two tenants, with the latter ultimately resulting in access to the organization’s valuable data stores that resided in Azure. The attackers looked to pivot from on-premises to the cloud in both the tenants.
The attacker achieved domain administrator privileges in the first tenant. It deployed the post-exploitation tool Evil-WinRM to facilitate lateral movement.
The threat actor also compromised an Entra Connect Sync server, which served as a pivot point for lateral movement.
Additionally, Storm-0501 performed a DCSync attack, a technique that abuses the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller. By impersonating a domain controller, the threat actor could request password hashes for any user in the domain, including privileged accounts.
The Entra Connect Sync Directory Synchronization Account (DSA) was used to enumerate users, roles and Azure resources within the tenant.
Shortly after, Storm-0501 unsuccessfully attempted to sign in as several privileged users, likely blocked by conditional access policies and multifactor authentication (MFA).
The attacker found an identity that wasn’t human and had the Global Administrator role in Microsoft Entra ID. This account didn’t have MFA set up, allowing them to reset the user’s password on-premises, which was then synced to the cloud identity.
This allowed the threat actor to authenticate against Entra ID as that user via the new password, also registering a new MFA method under their control.
“From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain. The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud,” the researchers noted.
How to Defend Against Cloud-Based Ransomware Tactics:
These are practical steps for security teams to guard against the tactics used by Storm-0501 in this incident. These include:
- Enable Azure blob backup to protect from accidental or malicious deletions of blobs or storage accounts
- Apply the principle of least privilege when authorizing access to blob data in Azure Storage
- Enable logs in Azure Key Vault and retain them for up to a year to enable recreation of activity trails for investigation purposes
- Enable Microsoft Azure Backup for virtual machines to protect the data on your Microsoft Azure virtual machines
- Investigate on-premises and hybrid Microsoft Security Exposure Management attack paths
