A ransomware-as-a-service (RaaS) group Microsoft tracks as Storm-0501 is launching attacks in which they compromise hybrid cloud environments and perform lateral movement from on-premises to cloud that leads to data exfiltration, credential theft, persistent backdoor access, and ransomware attacks.
Microsoft Threat Intelligence said the RaaS group targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement in a Sept. 26 blog post. Microsoft said Storm-0501 operates as a financially motivated cybercrime group that uses commodity and open-source tools to conduct its attacks.
Active since 2021 when it first started attacking school districts, Storm-0501 evolved into a RaaS group that Microsoft said has deployed multiple ransomware payloads developed and maintained by many leading threat groups, including Hive, BlackCat/ALPHV, Hunters International, LockBit, and most recently, Embargo ransomware. Microsoft said the RaaS group was also recently observed attacking U.S. hospitals.
Here’s how Storm-0501 does its mischief: The researchers said the threat actor takes advantage of administrative privileges on the local devices it compromises during initial access and then tries to gain access to more accounts within the network through several methods. Storm-0501 primarily uses Impacket’s SecretsDump module, a legit Python script for key and hash management that the attackers use to extract credentials over the network, and then leverage it across an broad number of devices to obtain credentials.
Itzik Alvas, co-founder and CEO of Entro Security, explained that by targeting non-human identities (NHIs) such as service accounts used by containers in cloud environments, Storm-0501 also leveraged Impacket's SecretsDump module to compromise additional NHIs. He added they use the compromised credentials to directly message staff of organizations that have fallen victim to their exploits.
“Storm-0501's lateral credential-based attacks are a wake-up call for organizations to ensure they have complete visibility and contextualization of the NHI's in their environment,” said Alvas. “It takes over 200 days on average to identify compromised credentials, according to IBM's 2024 Cost of a Data Breach Report, and another two months to contain them, so it’s critical to get ahead of this problem. "
Given the complexity and scale of hybrid cloud environments, we are seeing attackers such as Storm-0501 increasingly target these systems because of their larger attack surface and numerous potential entry points, said Patrick Tiquet, vice president, security and architecture for Keeper Security. Tiquet said for security teams, staying ahead of these threats requires a comprehensive, proactive approach.
Tiquet said teams should start with a zero-trust strategy because it restricts access based on continuous verification, ensuring that users only have access to the resources essential for their specific roles, minimizing exposure to malicious actors.
“Weak credentials remain one of the most vulnerable entry points in hybrid cloud environments, and groups like Storm-0501 are likely to exploit them,” said Tiquet. “Security teams should prioritize strengthening password policies by enforcing strong, unique credentials for every account and implementing multi-factor authentication across all systems.”
