Cloud-based ransomware attacks

Microsoft wrote a blogpost of their own recently discussing shifts in tactics employed by Storm-0501, a notorious ransomware gang – increasingly, a shift towards Cloud-based ransomware attacks.

Cloud-based ransomware attacks

What’s changed?

Over time, Storm-0501 has evolved their attack plans – expanding from simple on-premises to targeting hybrid systems (environments with partial on-premises and partial Cloud deployment).

Key takeaways from their current operation patterns include:

  • Deliberate targeting of backups as a target
  • Moving away from deployment of malware to data exfiltration and destruction
  • Laddering compromised privileges to access more sensitive data

In the most recent attack, Microsoft found that the Storm-0501 assigned itself the Owner Azure role over all the Azure subscriptions available by invoking a Microsoft.Authorization/roleAssignments/write operation.

From this point, the actor undertook a series of operations that led to data exfiltration and deletion. This included a comprehensive discovery phase to locate the organization’s critical assets, including data stores that contained sensitive information.

Data that was protected by immutable policies was encrypted on the Cloud – anything else that could be copied off and deleted was. The victim was then delivered ransom demands through a compromised Microsoft Teams account.

What can we do?

Microsoft’s recommendations include to:

  • Enable Azure blob backup to protect from deletions of blobs or storage accounts
  • Apply the principle of least privilege when authorizing access to blob data in Azure Storage
  • Enable logs in Azure Key Vault and retain them for up to a year to enable recreation of activity trails for investigation purposes
  • Enable Microsoft Azure Backup for virtual machines to protect the data on your Microsoft Azure virtual machines
  • Investigate on-premises and hybrid Microsoft Security Exposure Management attack paths

Zero Trust principles help protect against such a compromise; in this most recent attack, Storm-0501 identified a non-human synced identity that was assigned with the Global Administrator role in Microsoft Entra ID. This account lacked any registered MFA method, enabling them to reset the user’s on-premises password, which shortly after was then legitimately synced to the cloud identity of that user via the Entra Connect Sync service.

Ensuring all entities are locked behind MFA protection and all access adheres to Zero Trust would have at the least complicated the attack, if not outright prevented it. Similarly, ensuring backups adhere to the 3-2-1 Backup Rule complicates the process of comprehensively destroying access to your data by diversifying systems the attacker has to attempt to compromise. As the Cloud transformation continues, Cloud-based ransomware attacks will become more common and users have to adapt and prepare.

 

Your Data In Your Hands – With TECH-ARROW

by Matúš Koronthály