Microsoft has uncovered a multi-stage cyberattack by the financially motivated group Storm-0501, targeting sectors in the U.S., including government, manufacturing, transportation, and law enforcement.
The attackers compromised hybrid cloud environments, stealing credentials, tampering with data, and deploying ransomware. Storm-0501, active since 2021, first gained attention for using the Sabbath ransomware against U.S. school districts.
The group later evolved into a ransomware-as-a-service (RaaS) affiliate, deploying ransomware variants like Hive, BlackCat, and the newer Embargo ransomware.
In its latest attacks, Storm-0501 exploited weak credentials and over-privileged accounts to move from on-premises systems to cloud environments, gaining persistent backdoor access. Microsoft reported that the group used several known vulnerabilities, including those in Zoho ManageEngine and Citrix NetScaler, to gain initial access.
The group then leveraged admin privileges to compromise further devices and collect sensitive data, using tools like Impacket and Cobalt Strike for lateral movement and to evade detection.
Storm-0501 also deployed open-source tools, such as Rclone, to exfiltrate data.
They masked these tools by renaming them to familiar W
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: