CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Storm-0501 Ransomware Campaign Targets Multicloud Environments

First reported
Last updated
πŸ“° 2 unique sources, 3 articles

Summary

Hide β–²

In late 2024, the threat group Storm-0501 compromised hybrid cloud environments across multiple sectors, including government, manufacturing, transportation, law enforcement, schools, and healthcare. The group exploited compromised credentials and overprivileged accounts to move between cloud and on-premise environments, aiming to generate revenue through a ransomware affiliate scheme. The campaign highlights the challenges organizations face in maintaining consistent security postures across multicloud environments. Over 75% of companies use two or more cloud providers, and many expose high-value assets to potential attacks due to inconsistent identity and access controls. The incident underscores the need for unified security platforms and consistent policies to disrupt attack chains and improve visibility across multicloud environments. In August 2025, Microsoft detailed a recent attack where Storm-0501 employed cloud-based ransomware tactics, exploiting cloud privilege escalation and visibility gaps. The attack targeted a large enterprise with multiple subsidiaries, each with separate but interconnected Microsoft Azure cloud tenants, demonstrating the group's evolving tactics and the need for robust security measures. Storm-0501 has been observed exploiting Entra ID to exfiltrate and delete Azure data in hybrid cloud attacks, using cloud-native capabilities to exfiltrate data, destroy backups, and demand ransom without deploying traditional malware.

Timeline

  1. 18.08.2025 15:22 πŸ“° 3 articles Β· ⏱ 29d ago

    Storm-0501 Ransomware Campaign Targets Multicloud Environments

    Storm-0501 has been observed exploiting Entra ID to exfiltrate and delete Azure data in hybrid cloud attacks. The group uses cloud-native capabilities to exfiltrate data, destroy backups, and demand ransom without deploying traditional malware. Storm-0501 targets multiple sectors, including schools and healthcare, in opportunistic attacks. The group leverages access brokers for initial access and exploits known vulnerabilities in various software. The attack involves lateral movement using Evil-WinRM and DCSync Attack to extract credentials from Active Directory. Storm-0501 targets non-human identities with Global Administrator roles lacking MFA for privilege escalation. Microsoft has implemented changes to Entra ID and released updates to Entra Connect to enhance security and mitigate similar attacks. The company recommends enabling Trusted Platform Module (TPM) on Entra Connect Sync server to secure credentials and cryptographic keys.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Supply Chain Attack on npm Packages with Billions of Weekly Downloads

A supply chain attack compromised multiple npm packages with over 2.6 billion weekly downloads. Attackers injected malicious code into these packages after hijacking a maintainer's account via phishing. The malware targets web-based cryptocurrency transactions, redirecting them to attacker-controlled wallets. The attack was detected and mitigated by the NPM team, who removed the malicious versions within two hours. The phishing campaign targeted multiple maintainers, using a fake domain to trick them into updating their 2FA credentials. The malicious code operates by hooking into JavaScript functions and wallet APIs, intercepting and altering cryptocurrency transactions. The attack impacts users who installed the compromised packages during a specific time window and have vulnerable dependencies. The attack targeted Josh Junon, also known as Qix, who received a phishing email mimicking npm. The phishing email prompted the maintainer to enter their username, password, and 2FA token, which were stolen via an adversary-in-the-middle (AitM) attack. The attack affected 20 packages, including ansi-regex, chalk, debug, and others, with over 2 billion weekly downloads. The malware intercepts cryptocurrency transaction requests by computing the Levenshtein distance to swap the destination wallet address. The payload hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs. The attack also compromised another maintainer, duckdb_admin, to distribute the same wallet-drainer malware. The affected packages from the second maintainer include @coveops/abi, @duckdb/duckdb-wasm, and prebid, among others. The attack impacted roughly 10% of all cloud environments. The attackers diverted five cents worth of ETH and $20 worth of a virtually unknown memecoin. The attacker’s wallet addresses holding significant amounts have been flagged, limiting their ability to convert or use the funds.

Open in new tab

Salesloft Disables Drift Following OAuth Token Theft

Salesloft has taken Drift offline due to a security incident involving the theft of OAuth tokens and unauthorized access to Salesforce data. The breach began with the compromise of Salesloft's GitHub account, affecting multiple major tech companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, Zscaler, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd. The incident was attributed to a threat cluster tracked as UNC6395 and GRUB1. The breach occurred on September 5, 2025, affecting the marketing software-as-a-service product Drift. The attackers exploited vulnerabilities to steal authentication tokens, leading to unauthorized access to sensitive data. Salesloft has temporarily disabled Drift to conduct a comprehensive review and enhance security measures. The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The threat actors' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. The number of impacted companies has been updated to 29. Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens. Salesforce restored integration with the Salesloft platform, except for the Drift app, which remains disabled until further notice. The breach also affected Qantas, where executives had their short-term compensation reduced by 15% due to a data breach that impacted approximately 5.7 million passengers.

Open in new tab

Cloudflare mitigates record 11.5 Tbps UDP flood DDoS attack

Cloudflare recently blocked the largest recorded volumetric DDoS attack, peaking at 11.5 Tbps. The attack was a UDP flood, primarily originating from a combination of several IoT and cloud providers, including Google Cloud, and lasted approximately 35 seconds. Volumetric DDoS attacks overwhelm targets with massive data, consuming bandwidth and exhausting resources. This attack is part of a recent surge in hyper-volumetric DDoS attacks, with Cloudflare autonomously blocking hundreds over the past few weeks. This attack follows a 7.3 Tbps DDoS attack in June 2025 and a 3.8 Tbps attack in October 2024, both mitigated by Cloudflare. The increase in DDoS attacks highlights the escalating threat landscape and the need for robust cybersecurity defenses. The attack involved the RapperBot botnet, which targets network video recorders (NVRs) and other IoT devices, exploiting security flaws to gain initial access and download the malware payload.

Open in new tab

APT29 Watering Hole Campaign Exploiting Microsoft Device Code Authentication

Amazon has disrupted a watering hole campaign orchestrated by APT29, a Russia-linked threat actor also known as Midnight Blizzard. The campaign used compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow. The campaign targeted Microsoft 365 accounts and aimed to harvest credentials and gather intelligence. The campaign involved injecting JavaScript into legitimate websites to redirect visitors to actor-controlled domains mimicking Cloudflare verification pages. The ultimate goal was to trick victims into entering a legitimate device code generated by the threat actor, granting access to their Microsoft accounts and data. The campaign utilized various evasion techniques, including Base64 encoding and setting cookies to prevent repeated redirects. Amazon's intervention led to the actor migrating to new infrastructure, including a move off AWS to another cloud provider. The campaign reflects an evolution in APT29's tactics, no longer relying on domains impersonating AWS or social engineering to bypass multi-factor authentication (MFA).

Open in new tab

Malicious nx Packages Exfiltrate 2,349 GitHub, Cloud, and AI Credentials

A supply chain attack on the nx build system allowed attackers to publish malicious versions of the popular npm package and auxiliary plugins. These versions contained data-gathering capabilities that exfiltrated 2,349 credentials from GitHub, cloud, and AI services. The attack occurred on August 26, 2025, affecting multiple versions of the nx package and related plugins. The compromised packages were removed from the npm registry, and users were advised to rotate credentials and check for malicious modifications in their systems. The malicious packages scanned file systems, collected credentials, and posted them to GitHub repositories under the users' accounts. The attack exploited a vulnerable workflow introduced on August 21, 2025, which allowed for arbitrary command execution and elevated permissions. The attack took approximately four hours from start to finish, resulting in the exfiltration of around 20,000 sensitive files. The attackers used AI-powered CLI tools to dynamically scan for high-value secrets and modified shell startup files to crash the system upon terminal session opening. A second attack wave was identified on August 28, 2025, affecting over 190 users/organizations and over 3000 repositories. The second wave involved making private repositories public and creating forks to preserve data. The attack unfolded in three distinct phases affecting 2,180 accounts and 7,200 repositories. The first phase impacted 1,700 users and leaked over 2,000 unique secrets. The second phase compromised 480 accounts and exposed 6,700 private repositories. The third phase targeted a single organization, publishing an additional 500 private repositories.

Open in new tab