Although Storm -0501 had valid credentials, there were no other MFA factor required, nor was the policy capable of completing the situations. However, they can avail the on-primesis control to pive into the active directory domain and get a non-mental synseed global administrator identification, which led to MFA deficiency to reset the user’s on-radius passwords, a global arrangement account in the Ezor portal can be signed as a global arrangement account, and the domain can be signed on the domine Received control.
Microsoft states that Storm -0501 built a back door using a maliciously added federed domain, enabled them to sign almost any user, mapped the entire environment, and understood its safety. The danger actor then targeted the organization’s Azure storage accounts, exfiltrate the data for his own infrastructure.
After abolishing all data, the group has deleted a large -scale ejure resources, including backups. For those files that could not be deleted due to the Azure Resource Lock and Azure Storage Employment Policies, the threatening actor encrypted everything in the cloud and started the extortion phase, which contacted the victims using the Microsoft teams of one of the already compromised users.
