STORMOUS Gang: Retail & Energy Sector Blitz — CVE-2024-1708 & Supply Chain Indicators

Excerpt

Stormous claims 14 new victims, heavily targeting retail and energy sectors. Leverage IOCs for immediate patching of ScreenConnect and Check Point vulnerabilities.

Threat Actor Profile — STORMOUS

• Aliases: Stormous, Stormous Gang
• Operational Model: Believed to be a closed-group operation with potential RaaS-like affiliate structures given the diverse geographic targeting in this campaign.
• Ransom Demands: Historically variable; recently shifting to "Free Data Dump" tactics to pressure victims, indicating a focus on reputation damage over immediate payment negotiation.
• Initial Access: Heavily reliant on exploiting external-facing services. Recent intelligence confirms the active use of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-50751 (Check Point Security Gateway). Phishing remains a secondary vector for less mature targets.
• Double Extortion: Strict adherence to double extortion. Exfiltration occurs prior to encryption, with data leaked on their .onion site if negotiations fail.
• Dwell Time: Average dwell time is estimated between 3-7 days. The group moves fast laterally once initial access is established via VPN or remote management tools.

Current Campaign Analysis

Sector Targeting: The campaign shows a distinct pivot towards Consumer Services/Retail (lorenzoni-store, montechiaro-store, impulso-store) and Energy (eogb.co.uk). The clustering of "store" domains suggests a potential supply chain compromise or a specific vulnerability in a shared e-commerce platform (e.g., Magento or a proprietary CMS) utilized by these entities. The inclusion of Manufacturing (HIGUCHI USA, INC) and Technology (eshacloudqa.com) indicates a broad-spectrum spray-and-pray approach utilizing automated exploitation of the CVEs listed below.

Geographic Concentration:

• Primary: Japan (JP), United States (US), Italy (IT)
• Secondary: Great Britain (GB), Tunisia (TN), Mexico (MX)

Victim Profile: Targets range from mid-market brick-and-mortar retailers transitioning to e-commerce ($10M - $50M revenue) to specialized manufacturing entities. The victim eshacloudqa.com suggests attacks on QA environments, which are often less secure than production, acting as a beachhead.

Posting Frequency & Escalation: Stormous posted a high volume of updates on 2026-06-28, including re-postings of previous victims (maglificioliliana, lorenzoni-store) with "FULL DATA DUMP FREE PART1" tags. This escalation to free releases indicates failed negotiations and an attempt to maintain leverage.

CVE Correlation: The presence of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-50751 (Check Point) in the CISA KEV list directly correlates with the rapid compromise of disparate global entities. The technology and manufacturing victims were likely accessed via ScreenConnect (common in managed IT support), while the energy sector victim may have been compromised via the Check Point VPN vulnerability.

Detection Engineering

Sigma Rules

---
title: Potential ScreenConnect Auth Bypass (CVE-2024-1708)
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects potential exploitation of ConnectWise ScreenConnect path traversal vulnerability leading to authentication bypass.
status: experimental
author: Security Arsenal Intel
date: 2026/06/29
tags:
  - attack.initial_access
  - cve.2024.1708
logsource:
  product: webserver
  service: nginx|iis|apache
detection:
  selection:
    cs-uri-query|contains:
      - 'Unauthorized'
      - '..%2f'
      - 'Authorization'
    sc-status:
      - 200
      - 500
  filter:
    cs-uri-query|contains: '正常的登录请求' # Example filter for legitimate noise
  condition: selection and not filter
falsepositives:
  - Legitimate administrative access errors
level: critical

---
title: Check Point VPN IKEv1 Anomaly (CVE-2026-50751)
id: b2c3d4e5-6789-01bc-def2-345678901234
description: Detects suspicious IKEv1 key exchange patterns indicative of the Check Point Security Gateway improper authentication vulnerability exploitation.
status: experimental
author: Security Arsenal Intel
date: 2026/06/29
tags:
  - attack.initial_access
  - cve.2026.50751
logsource:
  product: firewall
detection:
  selection:
    protocol|contains: 'IKE'
    dst_port: 500
    action: 'accept'
  selection2:
    payload|contains:
      - 'Main Mode'
      - 'Aggressive Mode'
  timeframe: 1m
  condition: selection and selection2 | count() > 50
falsepositives:
  - High volume legitimate VPN re-keying
level: high

---
title: Ransomware Data Staging via PowerShell
description: Detects PowerShell scripts often used for data staging prior to exfiltration, consistent with Stormous TTPs.
status: experimental
author: Security Arsenal Intel
date: 2026/06/29
tags:
  - attack.collection
  - attack.exfiltration
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4688
    NewProcessName|endswith: '\\powershell.exe'
    CommandLine|contains:
      - 'Compress-Archive'
      - 'Copy-Item'
      '-Recurse'
    CommandLine|contains:
      - 'C:\\Windows\\Temp'
      - 'ProgramData'
  condition: selection
falsepositives:
  - System administration tasks
level: medium

Microsoft Sentinel (KQL) — Lateral Movement Hunt

let ProcList = dynamic(["psexec.exe", "wmic.exe", "wmi.exe", "powershell.exe"]);
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName in~ (ProcList)
| where ProcessCommandLine has "-credential" or ProcessCommandLine has "invoke"
| summarize count() by DeviceName, AccountName, FileName, ProcessCommandLine
| where count_ > 5
| order by count_ desc

PowerShell — Rapid Response Hardening

# Rapid Response: Audit Shadow Copy Manipulation & Scheduled Tasks
Write-Host "Checking for recent Shadow Copy deletions..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='VSS'; ID=12345} -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-24)}

Write-Host "Enumerating Scheduled Tasks created in last 24 hours..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddHours(-24)} | Select-Object TaskName, TaskPath, Date, Author

Write-Host "Checking for unusual RDP logins (Event ID 4624 with Type 10)..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} -ErrorAction SilentlyContinue | Where-Object {$_.Message -match 'Logon Type:\s*10' -and $_.TimeCreated -gt (Get-Date).AddHours(-24)} | Select-Object TimeCreated, Id, Message

Incident Response Priorities

T-Minus Detection Checklist:

1. ScreenConnect Logs: Immediate review of WebServer logs for Authorization header bypass attempts or path traversal strings (..%2f).
2. VPN Audit: Check Point firewalls for spikes in IKEv1 negotiation failures or successful authentications from unusual geolocations (JP/TN/IT correlation).
3. Process Tree: Hunt for powershell.exe spawning rclone or 7z (7-Zip) for data exfiltration.

Critical Assets at Risk:

• Customer databases (P II) associated with the retail victims.
• Intellectual property / CAD files in the manufacturing sector (Higuchi).
• SCADA interface logs for the Energy sector (EOGB).

Containment Actions:

1. Isolate: Disconnect internet-facing VPN concentrators and ScreenConnect servers immediately if patches for CVE-2024-1708 and CVE-2026-50751 are not verified.
2. Block: Network segmentation blocking SMB (445) and RDP (3389) from server to server segments.
3. Suspend: Suspend active accounts belonging to IT administrators for the victim organizations listed in the leak site.

Hardening Recommendations

Immediate (24h):

• Patch: Apply the out-of-band patch for ConnectWise ScreenConnect (CVE-2024-1708) immediately on all ScreenConnect instances.
• Configure: Enforce MFA on all VPN connections, specifically targeting Check Point Gateways.
• Access Control: Revoke local administrator rights for all service accounts associated with e-commerce platforms identified in the victim list.

Short-term (2 weeks):

• Network Architecture: Implement a Zero Trust architecture for remote access tools; ensure ScreenConnect is only accessible via a bastion host or VPN.
• EDR Tuning: Update EDR policies to flag unsigned binaries interacting with vssadmin.exe or wbadmin.exe.
• Backup Verification: Validate offline backups are immutable and test restoration procedures for the specific retail platforms targeted.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub