InfoSecBulletin Cybersecurity for mankind
Storm-0501 has erased data and backups after stealing information from a victim’s Microsoft Azure environment in a new cloud based ransomware attack. Microsoft Threat Intelligence recently provided details of the tactics deployed by the actor tracked as Storm-0501 in a blog published on August 27.
Sherrod DeGrippo, director of Microsoft threat intelligence strategy told “This technique is likely to be adopted by other threat actors on a broader basis,”.
Hacker claim to breach Link3; 189,000 Users data up for sale
Check Point Hosts “Securing the Hyperconnected World in the AI Era” in Dhaka
Microsoft Confirms 900+ XSS Vulns Found in IT Services
Daily Security Update Dated : 15.09.2025
IBM QRadar SIEM Vuln Let Attackers Perform Unauthorized Actions
Major Australian Banks using Army of AI Bots to Scam Scammers
F5 to acquire CalypsoAI for $180M for Advanced AI Security Capabilities
AI Pentesting Tool ‘Villager’ Merges Kali Linux with DeepSeek AI for Automated Attacks
CVE-2025-21043
Samsung Patched Critical Zero-Day Flaw Exploited in Android Attacks
Albania appoints world’s first AI minister, “Diella” to Tackle Corruption
Storm-0501 Pivots to the Cloud:
In a recent attack, Storm-0501 breached a large company with multiple branches, each managing its own Active Directory.
Post compromise activity impacted two tenants, with the latter ultimately resulting in access to the organization’s valuable data stores that resided in Azure. The attackers looked to pivot from on-premises to the cloud in both the tenants.
The attacker achieved domain administrator privileges in the first tenant. It deployed the post-exploitation tool Evil-WinRM to facilitate lateral movement.
The threat actor also compromised an Entra Connect Sync server, which served as a pivot point for lateral movement.
Additionally, Storm-0501 performed a DCSync attack, a technique that abuses the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller. By impersonating a domain controller, the threat actor could request password hashes for any user in the domain, including privileged accounts.
The Entra Connect Sync Directory Synchronization Account (DSA) was used to enumerate users, roles and Azure resources within the tenant.
Shortly after, Storm-0501 unsuccessfully attempted to sign in as several privileged users, likely blocked by conditional access policies and multifactor authentication (MFA).
The attacker found an identity that wasn’t human and had the Global Administrator role in Microsoft Entra ID. This account didn’t have MFA set up, allowing them to reset the user’s password on-premises, which was then synced to the cloud identity.
This allowed the threat actor to authenticate against Entra ID as that user via the new password, also registering a new MFA method under their control.
“From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain. The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud,” the researchers noted.
How to Defend Against Cloud-Based Ransomware Tactics:
These are practical steps for security teams to guard against the tactics used by Storm-0501 in this incident. These include:
- Enable Azure blob backup to protect from accidental or malicious deletions of blobs or storage accounts
- Apply the principle of least privilege when authorizing access to blob data in Azure Storage
- Enable logs in Azure Key Vault and retain them for up to a year to enable recreation of activity trails for investigation purposes
- Enable Microsoft Azure Backup for virtual machines to protect the data on your Microsoft Azure virtual machines
- Investigate on-premises and hybrid Microsoft Security Exposure Management attack paths
