Microsoft alerts that Storm-0501 has shifted from traditional ransomware to cloud-based tactics involving data theft, encryption, and extortion using cloud-native features. The threat actor now targets cloud environments, exploiting vulnerabilities to exfiltrate data, destroy backups, and demand ransom without deploying conventional malware. #Storm-0501 #EntraID
Keypoints
- Storm-0501 has evolved from encrypting devices to focusing on cloud-based data theft and extortion.
- The threat actor exploits native cloud features to exfiltrate data, wipe backups, and destroy storage accounts.
- Recent attacks involve compromising Azure and Entra ID tenants by exploiting gaps in Microsoft Defender and MFA protections.
- Storm-0501 uses stolen credentials and cloud privileges to gain full control over cloud environments and escalate privileges.
- The attackers employ cloud-based encryption and data destruction tactics, complicating detection and recovery efforts.