In this episode of The Backup Wrap-up, we dive into the essential process of conducting a business impact analysis (BIA) and why it’s vital for organizations of all sizes.
Dr. Mike Saylor, CEO of Blackswan Cybersecurity and Professor at UTSA, offers key insights into executing effective BIAs and explains the advantages of having an independent third party conduct them. The discussion covers how a business impact analysis shapes disaster recovery plans, aligns IT strategies with business objectives, and supports investments in resilient infrastructure. You’ll gain a clear understanding of the BIA process, from identifying key stakeholders to assessing potential financial impacts, and learn how it can save your organization time, money, and future complications. Whether you’re an IT professional or a business leader, this episode delivers critical information on safeguarding your organization’s essential operations and ensuring long-term business continuity.
The threat actor group Storm-0501 has been launching ransomware attacks against government, manufacturing, transportation, and law enforcement sectors in the U.S. This complex, multi-phase operation is aimed at penetrating hybrid cloud environments, allowing the attackers to move laterally from on-premises systems to the cloud. Their objectives include data theft, credential compromise, system manipulation, persistent backdoor installation, and ransomware deployment. According to Microsoft, “Storm-0501 is a financially motivated group that utilizes commercial and open-source tools to carry out its ransomware activities.”
TECHNICAL DETAILS
The threat actor known as Storm-0501 targets cloud environments by exploiting weak credentials and privileged accounts, aiming to steal data and deploy ransomware. According to Microsoft, Storm-0501 initially gains network access using stolen or purchased credentials or by exploiting known vulnerabilities. Recent attacks have involved vulnerabilities like CVE-2022-47966 (Zoho ManageEngine), CVE-2023-4966 (Citrix NetScaler), and possibly CVE-2023-29300 or CVE-2023-38203 (ColdFusion 2016). Once inside the network, the attacker moves laterally within the compromised environment using widely used frameworks like Impacket and Cobalt Strike. Data is exfiltrated using a custom Rclone binary, disguised as a legitimate Windows tool, while PowerShell cmdlets are used to disable security agents.
Storm-0501 exploits stolen Microsoft Entra ID (formerly Azure AD) credentials to further expand access, particularly focusing on synchronization accounts between on-premises Active Directory (AD) and cloud environments. Microsoft Entra Connect Sync accounts, responsible for synchronizing data between on-prem AD and Entra ID, hold significant privileges. If attackers gain access to Directory Synchronization Account credentials, they can use tools like AADInternals to alter cloud passwords, bypassing security defenses. If a domain administrator or other highly privileged accounts are accessible on-prem and in the cloud without adequate protections (like multi-factor authentication), Storm-0501 can reuse these credentials to regain access to the cloud environment.
After gaining control of the cloud infrastructure, the attackers establish persistence by creating a new federated domain within the Microsoft Entra tenant. This enables them to authenticate as any user for whom they know or have configured the “Immutableid” property. With this access, they can deploy the Embargo ransomware or maintain backdoor access for future use.
Once Storm-0501 has fully compromised the victim’s network—exfiltrating sensitive data and moving laterally to the cloud—they deploy Embargo ransomware across the organization. This typically involves using compromised high-privilege accounts, such as Domain Admins, to execute the ransomware through scheduled tasks or Group Policy Objects (GPOs), encrypting files across multiple systems. In some cases, however, rather than deploying ransomware immediately, the group may maintain backdoor access for extended periods, likely for continued exploitation or delayed ransom demands. Microsoft notes that Storm-0501 doesn’t always prioritize ransomware deployment, sometimes opting for persistence and long-term access over immediate encryption operations.
Enforce strong, complex passwords and regularly update them. Implement multi-factor authentication (MFA) for all privileged accounts, especially on-premises and cloud access. Regularly audit and monitor the use of privileged accounts and restrict their usage wherever possible.
Apply timely patches to known vulnerabilities, particularly for critical systems like Zoho ManageEngine, Citrix NetScaler, and ColdFusion. Continuously monitor for emerging vulnerabilities and update systems accordingly.
Protect Microsoft Entra Connect Sync accounts with MFA and restrict their permissions. Regularly audit and secure the synchronization process between on-premises AD and Microsoft Entra ID to prevent unauthorized access.
Implement strict access controls to segment critical assets and limit lateral movement. Apply the principle of least privilege to minimize exposure of sensitive systems.
Deploy endpoint detection and response (EDR) solutions to identify malicious activity like lateral movement, data exfiltration, and unauthorized tools (Impacket, Cobalt Strike). Use PowerShell logging and monitoring to detect abnormal scripts that may disable security agents.
Maintain regular backups of critical systems, ensuring they are isolated from the main network to avoid ransomware encryption. Test recovery procedures to ensure rapid restoration in case of ransomware deployment.
October marks Cybersecurity Awareness Month, a concerted effort to raise awareness about online safety for individuals and businesses.
Cornerstone Resources and Blackswan Cybersecurity are proud to work with CISA (Cybersecurity and Infrastructure Security Agency) to support online safety and education.
This year’s theme, Secure Our World, encourages daily actions that can help protect individuals, families, and organizations from cyber risks. Cyber month reminds everyone that there are straightforward and effective measures you can take daily to fortify online security, protect personal information, and contribute to a safer digital environment.
Secure Our World highlights four essential practices for staying safe online:
October marks Cybersecurity Awareness Month, a global effort to raise awareness about online safety and equip individuals and businesses with tools to safeguard their data from cyber threats. Even amidst large-scale data breaches and cyberattacks, this Cyber month reminds everyone that there are straightforward and effective measures you can take daily to fortify online security, protect personal information, and contribute to a safer digital environment.
Blackswan Cybersecurity is proud to work with the Cybersecurity and Infrastructure Security Agency (CISA) to support this online safety and education initiative this October.
This year’s theme, Secure Our World, encourages daily actions that can help protect individuals, families, and organizations from cyber risks.
The Secure Our World campaign highlights four essential practices for staying safe online:
