Monday , July 13 2026
Storm-0501

Storm-0501 Deletes Data and Backups Post-Exfiltration on Azure in Hybrid Cloud Attacks

Storm-0501 has erased data and backups after stealing information from a victim’s Microsoft Azure environment in a new cloud based ransomware attack. Microsoft Threat Intelligence recently provided details of the tactics deployed by the actor tracked as Storm-0501 in a blog published on August 27.

Sherrod DeGrippo, director of Microsoft threat intelligence strategy told “This technique is likely to be adopted by other threat actors on a broader basis,”.

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

Storm-0501 Pivots to the Cloud:

In a recent attack, Storm-0501 breached a large company with multiple branches, each managing its own Active Directory.

Post compromise activity impacted two tenants, with the latter ultimately resulting in access to the organization’s valuable data stores that resided in Azure. The attackers looked to pivot from on-premises to the cloud in both the tenants.

The attacker achieved domain administrator privileges in the first tenant. It deployed the post-exploitation tool Evil-WinRM to facilitate lateral movement.

The threat actor also compromised an Entra Connect Sync server, which served as a pivot point for lateral movement.

Additionally, Storm-0501 performed a DCSync attack, a technique that abuses the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller. By impersonating a domain controller, the threat actor could request password hashes for any user in the domain, including privileged accounts.

The Entra Connect Sync Directory Synchronization Account (DSA) was used to enumerate users, roles and Azure resources within the tenant.

Storm-0501’s attack chain across the on-premise and cloud tenants. Source: Microsoft

Shortly after, Storm-0501 unsuccessfully attempted to sign in as several privileged users, likely blocked by conditional access policies and multifactor authentication (MFA).

The attacker found an identity that wasn’t human and had the Global Administrator role in Microsoft Entra ID. This account didn’t have MFA set up, allowing them to reset the user’s password on-premises, which was then synced to the cloud identity.

This allowed the threat actor to authenticate against Entra ID as that user via the new password, also registering a new MFA method under their control.

“From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain. The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud,” the researchers noted.

How to Defend Against Cloud-Based Ransomware Tactics:

These are practical steps for security teams to guard against the tactics used by Storm-0501 in this incident. These include:

  • Enable Azure blob backup to protect from accidental or malicious deletions of blobs or storage accounts
  • Apply the principle of least privilege when authorizing access to blob data in Azure Storage
  • Enable logs in Azure Key Vault and retain them for up to a year to enable recreation of activity trails for investigation purposes
  • Enable Microsoft Azure Backup for virtual machines to protect the data on your Microsoft Azure virtual machines
  • Investigate on-premises and hybrid Microsoft Security Exposure Management attack paths

Check Also

FortiGate

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the …