{"id":593,"date":"2025-08-28T14:53:16","date_gmt":"2025-08-28T12:53:16","guid":{"rendered":"https:\/\/blog.digitalonion.ly\/?p=593"},"modified":"2025-08-28T14:53:18","modified_gmt":"2025-08-28T12:53:18","slug":"storm-0501-hackers-shift-to-ransomware-attacks-in-the-cloud","status":"publish","type":"post","link":"https:\/\/blog.digitalonion.ly\/?p=593&lang=en","title":{"rendered":"Storm-0501 hackers shift to ransomware attacks in the cloud"},"content":{"rendered":"\n

Storm-0501 then used stolen Directory Synchronization Accounts (DSAs) to enumerate users, roles, and Azure resources with tools such as AzureHound. The attackers eventually discovered a Global Administrator account that lacked multifactor authentication, allowing them to reset its password and gain complete administrative control. With these privileges, they established persistence by adding malicious federated domains under their control, enabling them to impersonate almost any user and bypass MFA protections in the domain. Microsoft says they escalated their access further into Azure by abusing the Microsoft.Authorization\/elevateAccess\/action, which allowed them to ultimately assign themselves to Owner roles, effectively taking over the victim’s entire Azure environment.<\/p>\n\n\n\n

Contact us : 0915579536\u202c<\/a><\/p>\n\n\n\n

Or on the website digitalonion.ly<\/a><\/p>\n\n\n\n

Visit us at our company address: Tripoli \u2013 Andalus Street \u2013 Next to the Iraqi Embassy.<\/strong><\/p>\n\n\n\n

Company address on the map<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Storm-0501 then used stolen Directory Synchronization Accounts (DSAs) to enumerate users, roles, and Azure resources […]<\/p>\n","protected":false},"author":2,"featured_media":588,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[81,7],"tags":[],"class_list":["post-593","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-news","category-uncategorized-en"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/blog.digitalonion.ly\/wp-content\/uploads\/2025\/08\/Untitled-3.jpeg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.digitalonion.ly\/index.php?rest_route=\/wp\/v2\/posts\/593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.digitalonion.ly\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.digitalonion.ly\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.digitalonion.ly\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.digitalonion.ly\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=593"}],"version-history":[{"count":2,"href":"https:\/\/blog.digitalonion.ly\/index.php?rest_route=\/wp\/v2\/posts\/593\/revisions"}],"predecessor-version":[{"id":599,"href":"https:\/\/blog.digitalonion.ly\/index.php?rest_route=\/wp\/v2\/posts\/593\/revisions\/599"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.digitalonion.ly\/index.php?rest_route=\/wp\/v2\/media\/588"}],"wp:attachment":[{"href":"https:\/\/blog.digitalonion.ly\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.digitalonion.ly\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.digitalonion.ly\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}