Microsoft Threat Intelligence researchers identified threat actor Storm-0501 utilizing enhanced capabilities for lateral movement from on-premises systems to cloud infrastructure. Storm-0501’s cloud compromise methodology begins with lateral movement from compromised on-premises systems through insecure hybrid identity configurations. Their analysis uncovered techniques targeting unmanaged devices and exploiting insecure hybrid accounts to access critical resources, delete backups, and deploy ransomware. These attacks exploit vulnerabilities at the intersection of on-premises infrastructure and cloud services, challenging organizations with hybrid configurations. Microsoft has issued an alert regarding sophisticated ransomware attacks targeting hybrid cloud environments in Q1 2025. Microsoft has warned organizations worldwide that threat actors are ramping up their exploitation of critical vulnerabilities in on-premises Exchange Server and SharePoint Server. This path traversal technique exposes authentication tokens and federation settings, allowing attackers to bypass multi-factor authentication by exploiting trust relationships between identity systems. Microsoft recommends implementing credential hygiene, applying least privilege principles, and adopting Zero Trust architectures to protect hybrid environments. Organizations should also closely monitor for unusual authentication patterns that may indicate compromise of hybrid identity systems. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. A February leak of Black Basta ransomware group chats exposed their technical methods, including exploitation of Citrix, Jenkins, and VPN vulnerabilities. In a significant shift, North Korean state actor Moonstone Sleet has deployed Qilin ransomware in targeted attacks. Social engineering remains prevalent, with actors initiating contact through fake IT support calls before deploying remote access tools. Storm-1674 was observed using fake IT calls through Microsoft Teams, leading to Quick Assist and PowerShell usage.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 19 Apr 2025 10:40:12 +0000