CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Storm-0501 Ransomware Campaign Targets Hybrid Cloud Environments

First reported
Last updated
πŸ“° 2 unique sources, 3 articles

Summary

Hide β–²

A threat group, tracked as Storm-0501, compromised hybrid cloud environments in a campaign targeting government, manufacturing, transportation, law enforcement, schools, and healthcare sectors. The group exploited compromised credentials and overprivileged accounts to move between cloud and on-premise environments. The campaign aimed to generate revenue through a ransomware affiliate scheme. The attack highlights the challenges companies face in maintaining consistent security postures across multicloud and hybrid-cloud environments. Over 75% of companies use multiple cloud providers, exposing high-value assets to potential attacks. The incident underscores the need for unified security platforms and consistent policies to disrupt attack chains and improve visibility across environments. Storm-0501 has utilized various ransomware-as-a-service (RaaS) strains, including Embargo, Hunters International, Hive, BlackCat/ALPHV, LockBit, and Sabbath. The group has evolved its tactics to exploit weak credentials for lateral movement from on-premises to cloud environments, achieving cloud-based ransomware impact through cloud privilege escalation and exploiting visibility gaps. The group uses access brokers like Storm-0249 and Storm-0900 for initial access and exploits vulnerabilities in Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016. Storm-0501 employs Evil-WinRM and DCSync attacks for lateral movement and credential extraction, targeting non-human identities with Global Admin roles lacking MFA for privilege escalation. The group registers a threat actor-owned Entra ID tenant as a trusted federated domain to create a backdoor and initiates mass-deletion of Azure resources post-exfiltration to prevent data recovery. Microsoft has updated Entra ID and Entra Connect to mitigate Storm-0501's tactics and recommends enabling TPM on Entra Connect Sync servers for enhanced security.

Timeline

  1. 27.08.2025 22:04 πŸ“° 1 articles

    Storm-0501 Exploits Entra ID for Advanced Cloud Attacks

    Storm-0501 has refined its tactics to exploit cloud-native capabilities for data exfiltration and extortion, targeting various sectors including schools and healthcare. The group uses access brokers for initial access and exploits vulnerabilities in popular software. Storm-0501 employs advanced techniques like Evil-WinRM and DCSync attacks for lateral movement and credential extraction, targeting non-human identities with Global Admin roles lacking MFA. The group registers a threat actor-owned Entra ID tenant as a trusted federated domain to create a backdoor and initiates mass-deletion of Azure resources post-exfiltration to prevent data recovery. Microsoft has updated Entra ID and Entra Connect to mitigate these tactics and recommends enabling TPM on Entra Connect Sync servers for enhanced security.

    Show sources
    Open in new tab
  2. 27.08.2025 19:00 πŸ“° 1 articles

    Storm-0501 Evolves Tactics with Cloud-Based Ransomware

    Storm-0501 has evolved its tactics to exploit weak credentials for lateral movement from on-premises to cloud environments. The group achieved cloud-based ransomware impact through cloud privilege escalation and exploiting visibility gaps. The attack involved compromising a large enterprise with multiple subsidiaries, each with separate but interconnected Azure cloud tenants. The group exploited a non-human identity assigned to a Global Administrator role with no MFA to gain control over the cloud domain. Microsoft implemented changes in Microsoft Entra ID to restrict permissions on Directory Synchronization Accounts and recommends using tamper protection, endpoint detection-and-response products, and enabling MFA for all users to prevent similar attacks.

    Show sources
    Open in new tab
  3. 18.08.2025 15:22 πŸ“° 1 articles

    Storm-0501 Ransomware Campaign Targets Hybrid Cloud Environments

    Late last year, the threat group Storm-0501 compromised hybrid cloud environments in a campaign targeting government, manufacturing, transportation, and law enforcement sectors. The group exploited compromised credentials and overprivileged accounts to move between cloud and on-premise environments. The campaign aimed to generate revenue through a ransomware affiliate scheme. The attack highlights the challenges companies face in maintaining consistent security postures across multicloud and hybrid-cloud environments. Over 75% of companies use multiple cloud providers, exposing high-value assets to potential attacks. The incident underscores the need for unified security platforms and consistent policies to disrupt attack chains and improve visibility across environments.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns

Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.

Open in new tab

TOR-based Cryptojacking Campaign Targets Misconfigured Docker APIs

A new variant of a TOR-based cryptojacking campaign targets misconfigured Docker APIs to propagate malware. The attack chain involves exploiting exposed Docker instances to deploy XMRig miners and reconnaissance tools. The malware also scans for additional ports and attempts to propagate via Telnet and Chromium remote debugging ports. The campaign may be setting up a complex botnet. The attack leverages Base64-encoded payloads and TOR domains for anonymity. It includes a dropper written in Go that parses user login information and uses Masscan for further propagation. The malware's source code includes an emoji, suggesting it may have been crafted using a large language model (LLM). The attackers mount the host root to the fresh container, allowing them to manipulate the host system and escape the container. The attackers modify the SSH configuration of the host system to elevate privileges and provide backdoor access. The attackers create a cron job that executes every minute to block access to the Docker API’s port 2375, denying other attackers future access to the exposed instance. The threat actors deploy tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The malware installs curl and tor, launches a Tor daemon, and waits for confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The malware appends an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem to enable persistent SSH access. The malware writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using available firewall utilities. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it, and runs it as a dropper. The Go binary parses the host’s utmp file to identify logged-in users. The malware attempts to infect other exposed Docker APIs and removes competitor containers after gaining access. The malware includes inactive logic for exploiting Telnet (port 23) using default router credentials and for interacting with Chrome’s remote debugging interface (port 9222). The malware's behavior suggests it is an initial version of a complex botnet with capabilities for lateral movement, persistence, and potential future expansion for credential theft and browser hijacking. The campaign highlights the importance of securing Docker APIs and segmenting networks to prevent such attacks.

Open in new tab

Cloudflare mitigates 11.5 Tbps UDP flood DDoS attack

Cloudflare recently mitigated the largest recorded volumetric DDoS attack, peaking at 11.5 Tbps. The attack was a UDP flood primarily originating from a combination of several IoT and cloud providers, including Google Cloud. It lasted approximately 35 seconds. Cloudflare has seen a significant increase in DDoS attacks, with a 198% quarter-over-quarter increase and a 358% year-over-year jump in 2024. The company mitigated 21.3 million DDoS attacks targeting its customers and 6.6 million attacks targeting its own infrastructure during an 18-day multi-vector campaign in 2024. The most significant spike was seen by network-layer attacks, which saw a 509% year-over-year increase since the start of 2025. The attack was part of a series of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The attack was conducted by sending requests from botnets that had infected devices with malware. The RapperBot kill chain targets network video recorders (NVRs) and other IoT devices for DDoS attacks. The malware exploits security flaws in NVRs to gain initial access and download the payload, using a path traversal flaw to leak valid administrator credentials and push a fake firmware update. The malware establishes an encrypted connection to a C2 domain to receive commands for launching DDoS attacks and can scan the internet for open ports to propagate the infection. The attackers' methodology involves scanning the internet for old edge devices and brute-forcing or exploiting them to execute the botnet malware. Google's abuse defenses detected the attack, and they followed proper protocol in customer notification and response. Cloudflare has been automatically mitigating hundreds of hyper-volumetric DDoS attacks in recent weeks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. Volumetric attacks typically aim to overwhelm servers or networks, causing them to slow or shut down completely. The attack's short duration of 35 seconds highlights that size alone is not the most critical metric for evaluating DDoS attacks. The complexity and persistence of an attack, along with its impact on users, are more important metrics for DDoS defense. A DDoS mitigation service provider in Europe was targeted in a 1.5 Bpps denial-of-service attack. The attack originated from thousands of IoTs and MikroTik routers and was mitigated by FastNetMon. The attack was primarily a UDP flood launched from compromised customer-premises equipment (CPE), including IoT devices and routers, across more than 11,000 unique networks worldwide. The attack was detected in real-time, and mitigation action was taken using the customer's DDoS scrubbing facility. FastNetMon's founder, Pavel Odintsov, called for ISP-level intervention to stop the weaponization of compromised consumer hardware. The attack was one of the largest packet-rate floods publicly disclosed.

Open in new tab

APT29 Watering Hole Campaign Targeting Microsoft Device Code Authentication

Amazon disrupted an APT29 watering hole campaign targeting Microsoft device code authentication. The campaign compromised websites to redirect visitors to malicious infrastructure, aiming to trick users into authorizing attacker-controlled devices. The operation leveraged various phishing methods and evasion techniques to harvest credentials and gather intelligence. APT29, a Russia-linked state-sponsored hacking group, used compromised websites to inject JavaScript that redirected visitors to actor-controlled domains mimicking Cloudflare verification pages. The campaign aimed to entice victims into entering a legitimate device code into a sign-in page, granting attackers access to Microsoft accounts and data. The activity involved Base64 encoding to conceal malicious code, setting cookies to prevent repeated redirects, and shifting to new infrastructure when blocked. Amazon's intervention led to the registration of additional domains by the actor, continuing the campaign's objectives. The campaign reflects an evolution in APT29's technical approach, no longer relying on domains that impersonate AWS or social engineering attempts to bypass multi-factor authentication (MFA).

Open in new tab

Malicious nx Packages Exfiltrate 2,349 GitHub, Cloud, and AI Credentials in Supply Chain Attack

A supply chain attack on the nx build system compromised multiple npm packages, leading to the exfiltration of 2,349 GitHub, cloud, and AI credentials. The attack unfolded in three distinct phases, impacting 2,180 accounts and 7,200 repositories. The attack exploited a vulnerable workflow in the nx repository to publish malicious versions of the nx package and supporting plugins. The compromised packages scanned file systems for credentials and sent them to attacker-controlled GitHub repositories. The attack impacted over 1,346 repositories and affected Linux and macOS systems. The nx maintainers identified the root cause as a vulnerable workflow added on August 21, 2025, that allowed for the injection of executable code via a pull request title. The malicious packages were published on August 26, 2025, and have since been removed from the npm registry. The attackers leveraged the GITHUB_TOKEN to trigger the publish workflow and exfiltrate the npm token. The malicious postinstall script scanned systems for text files, collected credentials, and sent them to publicly accessible GitHub repositories. The script also modified .zshrc and .bashrc files to shut down the machine immediately upon user interaction. The nx maintainers have rotated npm and GitHub tokens, audited activities, and updated publish access to require two-factor authentication. Wiz researchers identified a second attack wave impacting over 190 users/organizations and over 3,000 repositories. The second wave involved making private repositories public and creating forks to preserve data. GitGuardian's analysis revealed that 33% of compromised systems had at least one LLM client installed, and 85% were running Apple macOS. The attack took approximately four hours from start to finish. AI-powered CLI tools were used to dynamically scan for high-value secrets. The malware created public repositories on GitHub to store stolen data. The attack impacted over 1,000 developers, exfiltrating around 20,000 sensitive files. The malware modified shell startup files to crash systems upon terminal access. The attack was detected by multiple cybersecurity vendors. The malicious packages were removed from npm at 2:44 a.m. UTC on August 27, 2025. GitHub disabled all singularity-repository instances by 9 a.m. UTC on August 27, 2025. Around 90% of leaked GitHub tokens remain active as of August 28, 2025.

Open in new tab