A holistic approach to put organizations under pressure: Microsoft’s DiGrippo emphasizes that the unique aspect of this new method is that it leverages hybrid environments that have both on-prem and cloud assets. “They put you in a situation where you’re under a significant amount of pressure because they’ve escalated privileges for themselves on both your on-prem and your cloud environment, and then they’re destroying your backups, encrypting what data is left, and telling you essentially, you can’t recover from this,” she says. “You’ll need to pay this ransom or you’re shut down permanently.”The on-premises equipment is key to Storm-0501 pulling off this attack chain. “When the threat actor can get into those because they’re vulnerable, pivot into the cloud, the threat actor really now has the keys to the kingdom,” DiGrippo says.”This is not what we traditionally see with most threat actors,” DiGrippo emphasizes. “They’re getting into the cloud environment, they’re getting into the on-prem environment, they’re deleting the backups, they’re going through those user accounts, finding additional user accounts that they can then breach and obtain persistent access within the environment. It’s a multipronged attack that puts the organization in almost a no-win situation.
What CISOs should do: DiGrippo says that because Storm-0501 exploits overly privileged accounts, using least privilege access is “super important” for CISOs in helping ward off this attack.She also thinks CISOs should know what their ransomware playbook is and understand under what circumstances they will pay ransoms and who is authorized to make that decision, who must be involved, and run those playbooks as practice multiple times a year.Finally, security leaders should consider “doing a full audit of your on-prem environments and understanding what that risk really presents to your organization,” DiGrippo says. “As cloud transformations have been completed over the last several years, a lot of organizations just sort of said, ‘Oh, these are our on-prem, we can’t move that, it’s super-legacy.’””Now is the time to really understand what you should be moving to the cloud and what you should be hardening,” DiGrippo warns. “The biggest lesson for me is that these hybrid environments are incredibly vulnerable and incredibly important.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4046438/storm-0501-debuts-a-brutal-hybrid-ransomware-attack-chain.html
