Full Report
After attaining domain admin on-prem, Storm-0501 evaded visibility gaps (checking Defender services), moved laterally with Evil-WinRM, and performed DCSync. They compromised Entra Connect Sync servers, used the Directory Synchronization Account (DSA) to enumerate identities/re...
Analysis Summary
# Threat Actor: Storm-0501
## Attribution & Identity
* **Identification:** Storm-0501
* **Aliases/Associations:** Not explicitly mentioned in the provided context, though linked to a specific campaign described as "Cloud-Based Ransomware."
## Activity Summary
Storm-0501 successfully transitioned from on-premises compromise to cloud environment exploitation, culminating in a ransomware-like impact. Initial access led to on-prem Domain Admin privileges. The actor then moved to the cloud by compromising Entra Connect Sync servers, leveraging the Directory Synchronization Account (DSA) to enumerate identities. They established cloud persistence by hijacking a Global Administrator account that lacked MFA (via password hash synchronization/reset and MFA registration), adding a malicious federated domain, and minting SAML tokens. This cloud access led to privilege escalation to User Access Administrator and subsequently mass assignment of Owner role across Azure subscriptions. The final impact involved discovery of critical resources, exfiltration of data, and destructive actions including mass deletion of backups, storage accounts, and encryption of remaining data via Key Vault manipulation, followed by extortion via Microsoft Teams.
## Tactics, Techniques & Procedures
* **Initial Foothold/On-Prem:** Attained Domain Admin privileges on-premises.
* **Defense Evasion (On-Prem):** Evaded visibility by checking Defender services.
* **Lateral Movement:** Used Evil-WinRM for lateral movement.
* **Credential Access:** Performed DCSync.
* **Cloud Reconnaissance:** Used DSA account to enumerate identities/resources with AzureHound.
* **Cloud Persistence/Account Takeover:** Leveraged Password Hash Synchronization (PHS) to reset the on-prem password of a synced account, registered MFA, and satisfied Conditional Access requirements.
* **Cloud Persistence/Domain Trust Hijack:** Established cloud persistence by adding a malicious federated domain using AADInternals.
* **Token Manipulation:** Minted SAML tokens to impersonate users.
* **Privilege Escalation (Cloud):** Invoked `Microsoft.Authorization/elevateAccess/action` using Global Admin privileges to gain User Access Administrator.
* **Privilege Escalation (Cloud):** Mass-assigned the Owner role across subscriptions.
* **Discovery (Cloud):** Focused discovery on critical stores and guardrails.
* **Defense Evasion/Exfiltration:** Exposed Azure Storage publicly, listed access keys, and bulk-exfiltrated data using AzCopy.
* **Impact/Destruction:** Mass deletion of snapshots, restore points, storage accounts, and backup containers. Removed resource locks & blob immutability. If deletion failed, performed encryption via Key Vault–backed encryption scopes, followed by key deletion.
* **Extortion:** Used a compromised user account on Microsoft Teams for extortion.
## Targeting
* **Sectors:** Not explicitly listed, but the focus on critical Azure infrastructure suggests organizations heavily reliant on Microsoft cloud services.
* **Geography:** Not specified.
* **Victims:** Organizations utilizing Azure Entra ID synchronization and possessing on-premises Active Directory environments.
## Tools & Infrastructure
* **Tools/Malware:** Evil-WinRM, AzureHound, AADInternals, AzCopy, Impacket.
* **Infrastructure:** Compromised Entra Connect Sync Servers.
## Implications
Storm-0501 demonstrates a sophisticated, hybrid-environment attack path moving from traditional on-premises compromise to deep, destructive cloud compromise. Their ability to leverage PHS and Entra Connect vulnerabilities to satisfy modern Conditional Access policies and escalate privileges to Subscription Owner poses a significant threat to organizations using hybrid identity structures. The final destructive actions against backups and immutability settings indicate a high-impact ransomware or pure destruction objective.
## Mitigations
* Strict oversight and monitoring of the Directory Synchronization Account (DSA).
* Implement robust controls to prevent the addition of unauthorized federated domains using tools like AADInternals.
* Enable and enforce Multi-Factor Authentication (MFA) enforcement for all Global Administrator accounts, and prioritize MFA for high-privilege accounts regardless of PHS state or conditional access settings.
* Apply Resource Locks and Blob Immutability policies to critical storage and backup containers, and ensure Key Vault soft-delete is enabled to provide a recovery window against malicious key deletion.
* Monitor for unusual lateral movement using Evil-WinRM and DCSync post-initial compromise.
* Monitor for suspicious privilege escalations, specifically the use of `Microsoft.Authorization/elevateAccess/action` or mass Owner assignments across subscriptions.