Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
The new Embargo ransomware software threatens data security.
Microsoft has identified a new hacker unit tracked under the ID Storm-0501. Previously, this group collaborated with well-known ransomware gangs such as Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo. Now, Storm-0501 has moved to independent activities, targeting hybrid cloud environments, using open tools for attacks. The main goal of cybercriminals is financial gain.
Recently, the Storm-0501 group carried out multi-stage attacks in the United States, hacking into hybrid cloud environments and spreading from on-premises devices to the cloud. These attacks have resulted in credential theft, theft of sensitive information, tampering with systems, creating backdoors, and launching ransomware. The victims of the group were government organizations, manufacturing companies, transport services, law enforcement agencies and even hospitals.
It is known that Storm-0501 has been in effect since at least 2021. In its attacks, the group used several types of ransomware developed and maintained by other groups. To gain initial access, criminals usually use stolen credentials and known vulnerabilities to find accounts with advanced privileges. Subsequently, using these privileges, hackers move to the cloud, exploiting vulnerabilities in the interfaces between environments.
Recent Report Microsoft Threat Intelligence emphasizes that with the increasing use of hybrid cloud environments, securing resources across multiple platforms is becoming increasingly challenging. For example, in one of the latest attacks, Storm-0501 hackers exploited known vulnerabilities in Zoho ManageEngine, Citrix NetScaler, and ColdFusion 2016. The security of the operations of the affected organizations turned out to be insufficient.
In the attack, Storm-0501 uses standard Windows tools and commands, such as "systeminfo.exe", "net.exe", "nltest.exe", and "tasklist.exe", as well as open tools for reconnaissance and remote control, such as AnyDesk. Once they gain administrator privileges, the group steals credentials to spread across the network and reach the domain controller in order to deploy ransomware.
Once Storm-0501 takes control of the network and moves to the cloud, the hackers deploy a new Embargo ransomware built on top of Rust and using advanced encryption techniques. However, attackers do not always use ransomware software — in some cases, they only maintain access to the network.
Microsoft is working hard to protect the Microsoft Entra ID service (formerly Azure AD), which attackers used to steal credentials. The tech giant recommends that organizations use strong authentication mechanisms, restrict access for sync accounts, and use EDR solutions to strengthen security.
Source
Microsoft has identified a new hacker unit tracked under the ID Storm-0501. Previously, this group collaborated with well-known ransomware gangs such as Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo. Now, Storm-0501 has moved to independent activities, targeting hybrid cloud environments, using open tools for attacks. The main goal of cybercriminals is financial gain.
Recently, the Storm-0501 group carried out multi-stage attacks in the United States, hacking into hybrid cloud environments and spreading from on-premises devices to the cloud. These attacks have resulted in credential theft, theft of sensitive information, tampering with systems, creating backdoors, and launching ransomware. The victims of the group were government organizations, manufacturing companies, transport services, law enforcement agencies and even hospitals.
It is known that Storm-0501 has been in effect since at least 2021. In its attacks, the group used several types of ransomware developed and maintained by other groups. To gain initial access, criminals usually use stolen credentials and known vulnerabilities to find accounts with advanced privileges. Subsequently, using these privileges, hackers move to the cloud, exploiting vulnerabilities in the interfaces between environments.
Recent Report Microsoft Threat Intelligence emphasizes that with the increasing use of hybrid cloud environments, securing resources across multiple platforms is becoming increasingly challenging. For example, in one of the latest attacks, Storm-0501 hackers exploited known vulnerabilities in Zoho ManageEngine, Citrix NetScaler, and ColdFusion 2016. The security of the operations of the affected organizations turned out to be insufficient.
In the attack, Storm-0501 uses standard Windows tools and commands, such as "systeminfo.exe", "net.exe", "nltest.exe", and "tasklist.exe", as well as open tools for reconnaissance and remote control, such as AnyDesk. Once they gain administrator privileges, the group steals credentials to spread across the network and reach the domain controller in order to deploy ransomware.
Once Storm-0501 takes control of the network and moves to the cloud, the hackers deploy a new Embargo ransomware built on top of Rust and using advanced encryption techniques. However, attackers do not always use ransomware software — in some cases, they only maintain access to the network.
Microsoft is working hard to protect the Microsoft Entra ID service (formerly Azure AD), which attackers used to steal credentials. The tech giant recommends that organizations use strong authentication mechanisms, restrict access for sync accounts, and use EDR solutions to strengthen security.
Source
