CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Storm-0501 Ransomware Campaign Targets Hybrid Cloud Environments

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

In late 2024, the threat group Storm-0501 compromised hybrid cloud environments across multiple sectors, including government, manufacturing, transportation, law enforcement, schools, and healthcare. The group has been active since 2021, utilizing various ransomware-as-a-service (RaaS) strains. Storm-0501 exploited compromised credentials and overprivileged accounts to move laterally between cloud and on-premise environments, aiming to generate revenue through a ransomware affiliate scheme. This campaign highlights the challenges in maintaining consistent security postures across multicloud and hybrid-cloud environments. The attack underscores the need for unified security platforms and consistent policies to disrupt attack chains. Organizations struggle with managing multiple cloud environments due to inconsistent identity and access controls, tool sprawl, and the complexity of multicloud security architectures. The campaign also reveals the importance of gaining visibility into cloud events and establishing a strong security culture to manage multicloud environments effectively. Storm-0501's tactics include cloud-based ransomware attacks that exploit native capabilities of victim environments, compromising devices not connected to Microsoft Defender and gaining domain administrator privileges. The group used Azure tools to map relationships and permissions, targeting a second tenant by leveraging a non-human identity assigned to a Global Administrator role with no MFA. Storm-0501 has refined its tactics to conduct data exfiltration and extortion attacks, leveraging cloud-native capabilities to exfiltrate large volumes of data, destroy data and backups, and demand ransom without relying on traditional malware deployment.

Timeline

  1. 27.08.2025 19:00 2 articles · 1mo ago

    Storm-0501 Evolves Tactics with Cloud-Based Ransomware Attacks

    Storm-0501 has refined its tactics to conduct data exfiltration and extortion attacks targeting cloud environments. The group leverages cloud-native capabilities to exfiltrate large volumes of data, destroy data and backups, and demand ransom without relying on traditional malware deployment. The latest wave of attacks is opportunistic and not sector-specific, affecting multiple organizations including schools and healthcare. Storm-0501 has exploited known remote code execution vulnerabilities in unpatched, internet-facing servers, including products like Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016. The group conducted reconnaissance and laterally moved across the network using Evil-WinRM and performed a DCSync Attack to extract credentials from Active Directory. Storm-0501 targeted a second Entra Connect server associated with a different Entra ID tenant and Active Directory domain, identifying a non-human synced identity with a Global Admin role in Microsoft Entra ID lacking MFA protections. The group reset the user's on-premises password, causing it to be synced to the cloud identity of that user using the Entra Connect Sync service. Storm-0501 accessed the Azure Portal, registered a threat actor-owned Entra ID tenant as a trusted federated domain to create a backdoor, and elevated access to critical Azure resources. The group initiated the mass-deletion of Azure resources containing the victim organization's data to prevent remediation and mitigation actions. Microsoft has enacted changes in Microsoft Entra ID to prevent abuse of Directory Synchronization Accounts for privilege escalation and released updates to Microsoft Entra Connect to support Modern Authentication for enhanced security. Microsoft recommends enabling Trusted Platform Module (TPM) on the Entra Connect Sync server to mitigate Storm-0501's credential extraction techniques.

    Show sources
    Open in new tab
  2. 18.08.2025 15:22 3 articles · 1mo ago

    Storm-0501 Ransomware Campaign Targets Hybrid Cloud Environments

    Storm-0501 has refined its tactics to conduct data exfiltration and extortion attacks targeting cloud environments. The group leverages cloud-native capabilities to exfiltrate large volumes of data, destroy data and backups, and demand ransom without relying on traditional malware deployment. The latest wave of attacks is opportunistic and not sector-specific, affecting multiple organizations including schools and healthcare. Storm-0501 has exploited known remote code execution vulnerabilities in unpatched, internet-facing servers, including products like Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016. The group conducted reconnaissance and laterally moved across the network using Evil-WinRM and performed a DCSync Attack to extract credentials from Active Directory. Storm-0501 targeted a second Entra Connect server associated with a different Entra ID tenant and Active Directory domain, identifying a non-human synced identity with a Global Admin role in Microsoft Entra ID lacking MFA protections. The group reset the user's on-premises password, causing it to be synced to the cloud identity of that user using the Entra Connect Sync service. Storm-0501 accessed the Azure Portal, registered a threat actor-owned Entra ID tenant as a trusted federated domain to create a backdoor, and elevated access to critical Azure resources. The group initiated the mass-deletion of Azure resources containing the victim organization's data to prevent remediation and mitigation actions. Microsoft has enacted changes in Microsoft Entra ID to prevent abuse of Directory Synchronization Accounts for privilege escalation and released updates to Microsoft Entra Connect to support Modern Authentication for enhanced security. Microsoft recommends enabling Trusted Platform Module (TPM) on the Entra Connect Sync server to mitigate Storm-0501's credential extraction techniques.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ShadowV2 Botnet Exploits Misconfigured AWS Docker Containers for DDoS Attacks

The ShadowV2 botnet targets misconfigured Docker containers on Amazon Web Services (AWS) to deploy a Go-based malware, turning infected systems into nodes for a distributed denial-of-service (DDoS) botnet. This botnet is available for rent to conduct DDoS attacks, employing advanced techniques such as HTTP/2 Rapid Reset and bypassing Cloudflare's Under Attack mode. The botnet was detected on June 24, 2025, and is believed to be part of a DDoS-for-Hire service. The botnet uses a Python-based C2 framework hosted on GitHub Codespaces and a Go-based remote access trojan (RAT) for command execution and communication. The malware first spawns a generic setup container from an Ubuntu image, installs necessary tools, and then builds and deploys a live container. This approach may help avoid leaving forensic artifacts on the victim machine. The malware communicates with a C2 server to receive commands and conduct attacks. The botnet's dynamic container deployment allows highly configurable attacks while concealing activity behind cloud-native architecture. The botnet targets 24,000 IP addresses with port 2375 open, though not all are exploitable. The malware sends a heartbeat signal to the C2 server every second and polls for new attack commands every five seconds. The botnet is actively used, with observed commands to launch attacks against at least one website.

Open in new tab

SonicWall MySonicWall Breach Exposes Firewall Configuration Files

SonicWall has released a firmware update to remove rootkit malware from SMA 100 series devices, following a breach that exposed firewall configuration backup files. The breach, caused by brute-force attacks, affected less than 5% of customers and may have exposed sensitive information. SonicWall has advised customers to reset credentials and update secrets. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. There is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. In September 2025, SonicWall disclosed a security breach affecting MySonicWall accounts, resulting in the exposure of firewall configuration backup files for less than 5% of its customers. The breach, caused by a series of brute-force attacks, could facilitate easier exploitation of SonicWall firewalls by threat actors. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with cybersecurity and law enforcement agencies. The exposed files may contain sensitive information, such as credentials and tokens, for services running on SonicWall devices. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. SonicWall confirmed that attackers accessed the API service for cloud backup and there is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance.

Open in new tab

Misconfigured Docker APIs Exploited in TOR-Based Cryptojacking Campaign

A new variant of a TOR-based cryptojacking campaign targets exposed Docker APIs. The attack involves executing a new container based on the Alpine Docker image and mounting the host file system. The attackers then run a Base64-encoded payload to download a shell script downloader from a .onion domain. The script installs tools for reconnaissance and communication with a command-and-control (C2) server. The campaign may aim to establish a complex botnet. The attack chain includes exploiting additional ports (23, 9222) and using known default credentials for brute-forcing logins. The malware scans for open Docker API services at port 2375 and propagates the infection to those machines. The attackers block external access to port 2375 using available firewall utilities and install persistent SSH access. The malware includes dormant logic for future expansion opportunities for credential theft, browser session hijacking, remote file download, and distributed denial-of-service (DDoS) attacks. The campaign highlights the importance of securing Docker APIs and limiting exposure of services to the internet.

Open in new tab

Akira and Cl0p Lead Most Active Ransomware-as-a-Service Groups in 2025

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024. Akira and Cl0p are the most active ransomware-as-a-service (RaaS) groups, targeting manufacturing, technology, and the US. The RaaS model enables lower-skilled actors to launch attacks, contributing to the surge. New tactics include pure extortion, AI-assisted phishing, and exploitation of SonicWall SSL VPN vulnerabilities. Akira has targeted SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and misconfigurations, leading to increased threat activity and unauthorized access. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of vulnerable Australian organizations through SonicWall devices. The recent increase in exploitation of CVE-2024-40766 has been linked to incomplete remediation and misconfigurations, with SonicWall advising immediate patching and security measures. Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766, an improper access control issue in SonicWall firewalls. Akira operators are targeting SSL VPN accounts that use a one-time password (OTP) as the multi-factor authentication (MFA) option. Arctic Wolf observed dozens of incidents tied to VPN client logins from VPS hosting providers, network scanning, Impacket SMB activity, and Active Directory discovery. Akira's dwell times are among the shortest recorded for ransomware, measured in hours. Akira affiliates leveraged pre-installed and legitimate utilities to evade detection, using the Datto RMM tool on a domain controller to execute a PowerShell script and gain full control over the server. The attackers modified registries to evade detection, turned off security features, and dropped various files, including scripts that modified firewall rules. The earliest activity connected to the Akira ransomware campaign began in mid-July 2025, with similar malicious VPN logins tracked back to October 2024. The campaign remains active, with attacks consistent since July 2025, showing a slight decrease around the end of August and early September, and picking up pace again around the end of September 2025. A range of SonicWall devices, including NSA and TZ series devices running versions of SonicOS 6 and 7, have been targeted. SonicOS firmware versions 6.5.5.1-6n, 7.0.1-5065, 7.0.1-5119, 7.1.2-7019, 7.1.3-7015, and 7.3.0-7012 are vulnerable, as well as hardware models NSa 2600, NSa 2700, NSa 4650, NSa 5700, TZ370, and TZ470. The campaign may trace back to earlier exploitation of CVE-2024-40766, impacting SonicOS 5, 6, and 7, with credentials stolen from vulnerable firewalls possibly carried forward to newer SonicOS versions. Arctic Wolf Labs observed intrusions affecting devices running SonicOS 7.3.0 and even more recent versions, such as 8.0.2. Arctic Wolf Labs recommends monitoring for VPN logins from untrusted hosting infrastructure, maintaining visibility into internal networks, and monitoring for anomalous SMB activity indicative of Impacket use.

Open in new tab

Emergence of AI-Powered Ransomware Strain PromptLock

A new AI-powered ransomware strain, named PromptLock, has been identified by ESET researchers. The ransomware leverages an AI model to generate Lua scripts on the fly, complicating detection and defense. PromptLock is not yet active in the wild but is nearly ready for deployment. It can exfiltrate files and encrypt data, with plans to add file destruction capabilities. The ransomware was uploaded to VirusTotal from the United States and is written in Go, targeting both Windows, Linux, and macOS systems. The Bitcoin address used for ransom payments is linked to Satoshi Nakamoto. The development of AI-driven ransomware presents new challenges for cybersecurity defenders. The ransomware strain was discovered by Anton Cherepanov and Peter Strycek, who shared their findings on social media 18 hours after detecting samples on VirusTotal. The use of AI in ransomware introduces variability in indicators of compromise (IoCs), making detection more difficult. PromptLock uses the SPECK 128-bit encryption algorithm to lock files and can generate custom notes based on the files affected and the type of infected machine. The attacker can establish a proxy or tunnel from the compromised network to a server running the Ollama API with the gpt-oss-20b model.

Open in new tab