Storm-0501: The Rising Threat to Non-Human Identities in Hybrid Clouds

Tomer Iarchy

Tomer Iarchy

Software Engineer

Published on

October 2, 2024

The Storm-0501 cybercriminal group has launched a sophisticated, multi-stage attack campaign targeting hybrid cloud infrastructures. By exploiting weak credentials and over-privileged accounts, they successfully executed lateral movement from on-premises environments to cloud platforms. Active since 2021, Storm-0501’s earlier attacks were largely opportunistic. However, recent campaigns signal a strategic shift, with the group now focusing on exploiting vulnerabilities in hybrid environments. Their ability to move seamlessly between on-premises systems and cloud resources underscores the growing threat posed by unmanaged non-human identities (NHIs), which have become a key attack vector in these breaches.

As machine-to-machine interactions increasingly outpace human-to-machine connections, securing these digital identities has become critical, especially as the Storm-0501 attack continues to expand across hybrid cloud environments.

The Non-Human Identity Challenge in Multi-Cloud Environments

Organizations are grappling with complex infrastructures where resources span multiple clouds, making security perimeters increasingly difficult to define. NHIs now outnumber human identities on average by a factor to 20, according to recent research by ESG, as every SaaS, PaaS, and IaaS service has become its own identity provider. These accounts, often service accounts, govern machine-to-machine communication but introduce unique security challenges.

Recent exploits by Storm-0501 highlight how easily these accounts can be compromised if left unmanaged. The elevated permissions of these NHIs make them prime targets. By attacking on-premise servers and stealing service accounts, Storm-0501 was able to:

  • gaining access to vast data flows 
  • create backdoors to establish persistent access points, leading to prolonged periods of undetected exploitation.
  • impersonate high-privilege users, extending their reach and impact

Exploited NHIs are often used to move laterally within the perimeter to breach other systems. Storm-0501 attackers began by exploiting vulnerabilities (such as 0-days) on on-premise servers and then used the exploited over-privileged accounts to move laterally t into cloud environments. For instance, when compromised servers utilize service accounts tied to Microsoft Entra Connect Sync, attackers can navigate from on-premise to cloud resources. If these servers do not utilize their account created at Entra ID, they are considered  "stale accounts.” Addressing this situation in a timely manner can prevent lateral movement in this direction.

The Need for Specialized NHI Management solutions

NHIs require a fundamentally different management approach compared to traditional human identity management. Unlike human identities, NHIs often lack clear ownership and can be distributed across multiple identity providers and vaults, complicating governance and security. Traditional Identity and Access Management (IAM) solutions fall short in effectively managing these identities.

Key NHI Security Challenges Highlighted by the Storm-0501 Attack

  • Visibility: Organizations frequently lack comprehensive visibility into all NHIs, leading to blind spots that attackers can exploit. Traditional tools often focus narrowly on secrets and configurations, overlooking service accounts and their critical roles.
  • Security: The security posture related to NHIs is often misaligned with organizational needs, leaving gaps for exploitation. The rise of ephemeral access and short-lived tokens requires advanced analytics to monitor and secure these identities effectively.
  • Governance: Managing the lifecycle of NHIs can be cumbersome without automation and policy-driven frameworks. Organizations often rely on slow, manual processes that cannot keep pace with modern cloud environments.

How Oasis Helps Secure NHIs 

To combat these challenges, Oasis offers the NHI Security Cloud, designed to manage and secure non-human identities effectively. Our integrated platform focuses on:

  • Comprehensive Discovery: Our NHI discovery engine provides visibility into all non-human identities, including service accounts, IAM roles, and tokens—crucial for understanding the security perimeter.
  • Contextual Insights: The Context Reconstruction Engine continuously analyzes NHIs, correlating data from various sources to create a deep understanding of each identity's role and associated risks.
  • Anomalous Behavior and Posture Vulnerability Detection: Oasis detects anomalous conditions, such as IP geolocation and conditional access, and identifies misconfigurations, such as excessive permissions or unrotated secrets, limiting an attacker’s ability to progress
  • Policy-Driven Governance: Oasis automates lifecycle management and remediation through a policy-driven orchestration engine, streamlining processes and reducing operational burdens.

Final Thoughts

The Storm-0501 campaign underscores the vulnerabilities present in non-human identities within today's distributed environments. To effectively secure these identities and mitigate risks, organizations must adopt a proactive approach emphasizing visibility, security, and governance.

By leveraging Oasis, organizations can gain the insights and controls necessary to defend against sophisticated threats, ensuring that their non-human identities do not become the weak link in their security posture. For more information on securing your organization against emerging threats, explore our resources or contact the Oasis team for NHI management advice.

More like this