Microsoft cloud environments under active exploitation by a campaign utilizing access from on-prem accounts - Hunt and Mitigate

News
Threat Research Team
October 1, 2024
copy

A new Microsoft report shows that Storm-0501 (aka UNC2190), a possibly Latvian ransomware group that emerged in 2021, has been observed targeting hybrid networks. The group is performing lateral movement from on-prem to cloud environments using weak credentials (especially in Microsoft Entra Connect) in highly privileged on-prem accounts.

While initially known for relatively limited operations against American schools, it seems that Storm-0501 has now evolved into a full-fledged Ransomware-as-a-Service group, compromising sectors such as government, manufacturing and transportation. It also utilizes various ransomware payloads, including Hive, BlackCat, LockBit and, in its current campaign, Embargo. To get initial access, the group exploits known vulnerabilities in Zoho ManageEngine (CVE-2022-47966), CitrixNetScaler (CVE-2023-4966), and ColdFusion (CVE-2023-29300, CVE-2023-38203).

We recommend blocking malicious IPs which have recently been observed as scanning for the CVEs referred above, as monitored by Greynoise (See Appendix A). It is also advised to investigate the hash files connected to the diverse tools used by Storm-0501, as proposed by Microsoft (see Appendix B).

Furthermore, eventual mitigations include:

  1. Enable Conditional Access policies - Set a Conditional Access policy to limit the access of Microsoft Entra ID sync accounts from untrusted IP addresses to all cloud apps.
  2. Enable protection to prevent by-passing of cloud Microsoft Entra MFA when federated with Microsoft Entra ID.
  3. Monitor the alert “Ransomware-linked Storm-0501threat actor detected” in Microsoft Defender for Endpoint.
  4. Monitor the alerts “Data exfiltration over SMB” and “Suspected DCSync attack” in Microsoft Defender for Identity.

Zafran’s customers are recommended to use the platform and track infamous vulnerabilities exploited by the threat actor in order fully grasp their level of exposure to the threat and understand how they can optimize the compensating controls in place to minimize it.

We also suggest using the Defenses Page and analyze the MITRE Tactics and Techniques characterizing Storm-0501. In this way, one would be able to understand the degree of protection its security controls offer against the threat group.

Please feel free to contact Zafran for any further assistance on that matter.

--------------------------

Appendix A - Malicious IPs scanning for the vulnerabilities exploited by Storm-0501 (as of October 1, 2024)

Citrix Netscaler (CVE-2023-4966)

  • 159.223.116.222
  • 62.204.41.56
  • 5.61.38.121
  • 128.199.7.74
  • 165.227.29.76
  • 209.38.207.221
  • 167.71.48.8
  • 157.230.145.241
  • 146.190.163.139
  • 46.101.238.9
  • 134.209.166.41
  • 64.23.159.201
  • 64.227.95.5
  • 134.209.47.160
  • 159.65.12.98
  • 128.199.250.242
  • 146.190.131.65
  • 68.183.19.104
  • 147.182.221.25
  • 165/227/60.184
  • 94.232.43.185
  • 64.23.145.102
  • 64.23.238.123
  • 8.218.168.197
  • 209.38.198.163
  • 183.92.127.219
  • 64.226.83.179
  • 84.239.41.208
  • 87.246.7.194

Zoho ManageEngine (CVE-2022-47966)

  • 5.61.38.121
  • 185.112.83.125
  • 212.22.93.8
  • 45.83.220.210
  • 85.192.56.29
  • 23.146.184.38
  • 45.148.10.192
  • 147.45.40.186
  • 193.149.189.220
  • 39.164.70.103
  • 39.164.70.57
  • 199.204.96.22
  • 46.249.32.2
  • 45.93.23.48

 

ColdFusion (CVE-2023-29300, CVE-2023-38203)

  •  5.61.38.121
  • 185.112.83.125
  • 14.136.96.145
  • 23.146.184.38
  • 45.148.10.192
  • 8.218.168.197
  • 43.229.88.44
  • 45.93.23.48
  • 108.181.24.39
  • 108.61.162.23

------------------------

Appendix B - List of Hash files related to tools used by Storm-0501

  • efb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8d
  • a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40
  • caa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031
  • d37dc37fdcebbe0d265b8afad24198998ae8c3b2c6603a9258200ea8a1bd7b4a
  • 53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9
  • 827f7178802b2e92988d7cff349648f334bc86317b0b628f4bb9264285fccf5f
  • ee80f3e3ad43a283cbc83992e235e4c1b03ff3437c880be02ab1d15d92a8348a
  • de09ec092b11a1396613846f6b082e1e1ee16ea270c895ec6e4f553a13716304
  • d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670
  • c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1

Related Articles

Blog
Flax Typhoon: A Chinese State-Sponsored Group Exploiting 66 Vulnerabilities to Build a 260k Device Botnet
Blog
Introducing Proactive Exposure Hunting, the latest enhancement to Zafran’s Threat Exposure Management Platform
Blog
Crowdstrike issue causes global scale outages
ProductLearnAboutCareersGet a Demo
© ZAFRAN, 2024, All rights reserved   |    Privacy Policy   |    Terms of Service