Sloppy Entra ID Credentials Attract Hybrid Cloud Ransomware

Adversaries have caught on to the complexity that cybersecurity teams face in securing hybrid cloud environments — the latest of which is a particularly odious group tracked as "Storm-0501," a cash-grab operation that regularly targets the most vulnerable organizations, including schools, hospitals, and law enforcement across the US.

Storm-0501 has been around since 2021, according to a new report from Microsoft Threat Intelligence, operating as affiliates of a variety of ransomware-as-a-service (RaaS) strains including BlackCat/ALPHV, LockBit, and Embargo.

Notably, Microsoft has observed a shift in approach by the ransomware group. Once reliant on buying initial access from brokers, Storm-0501 has more recently found success exploiting hybrid cloud environments with weak passwords and overprivileged accounts. They first crack into the on-premises environment at a target, then pivot to burrow into the cloud, as seen in one campaign that successfully targeted Entra ID credentials.

Microsoft Entra Connect Credential Crack

The Microsoft team detailed a recent attack from Storm-0501 threat actors that used compromised credentials to access Microsoft Entra ID (formerly Azure AD). This on-premises Microsoft application is responsible for synching passwords and other sensitive data between objects in Active Directory and Entra ID, which essentially allows a user to sign in to both on-premises and cloud environments using the same credentials.

Once Storm-0501 was able to move laterally into the cloud, it was able to tamper with and exfiltrate data, set up persistent backdoor access, and deploy ransomware, the report warned.

"We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts," Microsoft reported. "Following the compromise of the cloud Directory Synchronization Account, the threat actor can authenticate using the clear-text credentials and get an access token to Microsoft Graph."

From there, an attacker can freely change the Microsoft Entra ID passwords of any hybrid, synced account.

But that's not the only way these slippery cybercriminals have found to vault from a compromised Entra ID account into the cloud. The second strategy is more complicated, as Microsoft detailed, and relied on breaching a domain admin account with a correlating Entra ID that is designated with global admin permissions. Additionally, the account needs to have multifactor authentication (MFA) disabled for the attackers to be successful.

"It is important to mention that the sync service is unavailable for administrative accounts in Microsoft Entra, hence the passwords and other data are not synced from the on-premises account to the Microsoft Entra account in this case," Microsoft said. "However, if the passwords for both accounts are the same, or obtainable by on-premises credential theft techniques (i.e. Web browsers' passwords store), then the pivot is possible."

Once it was in, Storm-0501 got busy setting up persistent backdoor access for later, working to achieve network control, and ensuring lateral movement to the cloud, Microsoft reported. Once that was done, they exfiltrated the files they wanted and deployed Embargo ransomware across the entire organization.

"In the cases observed by Microsoft, the threat actor leveraged compromised Domain Admin accounts to distribute the Embargo ransomware via a scheduled task named 'SysUpdate' that was registered via GPO on the devices in the network," according to the Microsoft report.

The two separate versions of attacks against Microsoft's Entra ID application demonstrate that cybercriminals of opportunity have focused in on hybrid cloud environments, and their big, fat attack surfaces, as easy wins.

Securing the Hybrid Cloud Against Storm-0501 Attacks

"As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations," Microsoft's Threat Intel team warned.

Enterprise cybersecurity teams can achieve this by continuing to move toward a zero-trust framework, according to a statement from Patrick Tiquet, vice president, security and architecture, at Keeper Security.

"This model restricts access based on continuous verification, ensuring that users only have access to the resources essential for their specific roles, minimizing exposure to malicious actors," Tiquet explained via email. "Weak credentials remain one of the most vulnerable entry points in hybrid cloud environments, and groups like Storm-0501 are likely to exploit them."

Centralizing endpoint device management (EDM) is also "essential," he said. "Ensuring consistent security patching across all environments — whether cloud-based or on-premises — prevents attackers from exploiting known vulnerabilities."

Advanced monitoring will help teams spot potential threats across hybrid cloud environments before they can become a breach, he added.

Stephen Kowski, field CTO at SlashNext Security echoed many of the same recommendations in an emailed statement.

"This report highlights the critical need for robust security measures across hybrid cloud environments," Kowski said. "Security teams should prioritize strengthening identity and access management, implementing least privilege principles, and ensuring timely patching of Internet-facing systems."

In addition, he suggested shoring up security to protect against initial access attempts.

"Deploying advanced email and messaging security solutions can help prevent initial access attempts through phishing or social engineering tactics that often serve as entry points for these sophisticated attacks," he added.