Microsoft Warns of Ransomware Exploiting Cloud Environments with New Techniques

Microsoft has issued an alert regarding sophisticated ransomware attacks targeting hybrid cloud environments in Q1 2025.

These attacks exploit vulnerabilities at the intersection of on-premises infrastructure and cloud services, challenging organizations with hybrid configurations.

In a significant shift, North Korean state actor Moonstone Sleet has deployed Qilin ransomware in targeted attacks.

This marks their first operation as a ransomware-as-a-service affiliate rather than using custom malware, indicating tactical evolution to increase efficiency while maintaining plausible deniability.

Microsoft Threat Intelligence researchers identified threat actor Storm-0501 utilizing enhanced capabilities for lateral movement from on-premises systems to cloud infrastructure.

Their analysis uncovered techniques targeting unmanaged devices and exploiting insecure hybrid accounts to access critical resources, delete backups, and deploy ransomware.

A February leak of Black Basta ransomware group chats exposed their technical methods, including exploitation of Citrix, Jenkins, and VPN vulnerabilities.

Other active groups included Lace Tempest and Storm-1175, with the latter exploiting new SimpleHelp vulnerabilities shortly after disclosure.

Social engineering remains prevalent, with actors initiating contact through fake IT support calls before deploying remote access tools. Storm-1674 was observed using fake IT calls through Microsoft Teams, leading to Quick Assist and PowerShell usage.

Hybrid Cloud Exploitation Techniques

Storm-0501’s cloud compromise methodology begins with lateral movement from compromised on-premises systems through insecure hybrid identity configurations.

After gaining initial access, attackers target accounts with excessive permissions across environments. This approach allows them to pivot seamlessly between traditional infrastructure and cloud resources.

The attack chain typically includes specific HTTP requests targeting configuration files:-

GET /toolbox-resource/../serverconfig.xml

This path traversal technique exposes authentication tokens and federation settings, allowing attackers to bypass multi-factor authentication by exploiting trust relationships between identity systems.

Microsoft recommends implementing credential hygiene, applying least privilege principles, and adopting Zero Trust architectures to protect hybrid environments.

Organizations should also closely monitor for unusual authentication patterns that may indicate compromise of hybrid identity systems.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy