1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Microsoft flags dangerous cybercriminals ransacking organizations

    From TechnologyDaily@1337:1/100 to All on Thursday, August 28, 2025 13:15:09
    Microsoft flags dangerous cybercriminals ransacking organizations - and then letting you know about it via Teams

    Date:
    Thu, 28 Aug 2025 12:03:00 +0000

    Description:
    A new Storm is brewing in the cloud, but you might only find out about it via Microsoft Teams.

    FULL STORY ======================================================================Microsof t warns of Storm-0501, a ransomware group targeting mostly cloud platforms This approach allows them to be faster and more efficient There are ways to defend against this threat, so stay alert

    Microsoft is warning users about a ransomware operator that is more
    interested in compromising cloud infrastructure than on-premise devices since its faster, more efficient, and more disruptive.

    In a new report , the company highlighted Storm-0501, a financially motivated group observed to go primarily for hybrid cloud environments. The group would first compromise on-premise Active Directory domains via domain trust relationships, and then use Entra Connect Sync servers to pivot towards the cloud and into Microsoft Entra ID tenants.

    From there, the group would exploit a non-human synced identity with Global Admin rights, and no multi-factor authentication (MFA) set up, to gain full cloud access which, in turn, allowed them to create a backdoor using
    malicious federated domains, and by abusing SAML tokens. Weathering the storm

    Compromising Azure this way is an alarming turn of events, since crooks can gain owner role across subscriptions, map critical assets using AzureHound, exfiltrate data via AzCopy CLI, delete backups and storage using Azure operations and, in some instances, even encrypt the files using custom Azure Key Vault keys.

    Attacking the cloud rather than on-prem infrastructure allows for faster data exfiltration, as well as the destruction of backups. Adding insult to injury, it also allows them to reach out to their victims via Microsoft Teams to and demand a ransom payment.

    "Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom all without relying on traditional malware deployment," Microsoft wrote.

    To mitigate the threat, businesses should - before doing anything else - enforce MFA for all users, especially for privileged accounts. Then, they should restrict Directory Synchronization Account permissions, use TPM on Entra Connect Sync Servers, and apply Azure resource locks and immutability policies.

    Finally, Microsoft advises enabling Defender for Endpoint and Defender for Cloud across all tenants, and naturally - monitoring with Azure activity logs and advanced hunting queries. You might also like When ransomware hits home: putting your people first Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/microsoft-flags-dangerous-cybercriminal s-ransacking-organizations-and-then-letting-you-know-about-it-via-teams


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)