Storm-2949 used stolen credentials in cloud breach

Microsoft disclosed on May 18 that a threat actor it tracks as Storm-2949 used a compromised cloud identity to expand into Microsoft 365 and Azure environments and steal data without relying on traditional malware. The company said the campaign moved from an initial account takeover into a broader breach of SaaS, PaaS and IaaS resources inside a victim organization’s tenant. (microsoft.com) Microsoft said the actor used legitimate cloud management features and administrative workflows rather than custom malicious code to blend into normal activity. A May 22 social-media thread from GurusDirect pointed readers to the case and highlighted incident indicators tied to the activity. ### How did Storm-2949 get in without deploying malware? Microsoft said the intrusion began with targeted social engineering against Microsoft Entra ID users, followed by abuse of Self-Service Password Reset workflows. (microsoft.com) According to Microsoft’s account, the actor obtained access to victim identities and then used that access to reset passwords, register new authentication methods and maintain control of the accounts. Microsoft said the campaign did not depend on “traditional malware and other on-premises” tactics. Instead, the actor used trusted Microsoft cloud features to gain administrative reach across the tenant, an approach that reduced the number of obvious endpoint indicators. (microsoft.com) ### What did the attackers do once they controlled an identity? Microsoft said Storm-2949 first used compromised accounts to enumerate users, roles, applications and service principals through Microsoft Graph API activity and custom tooling. The company said the actor then searched Microsoft 365 services, including OneDrive and SharePoint, for files that could reveal remote-access paths, IT procedures and other operational details. (socprime.com) In one example cited in reporting that summarized Microsoft’s findings, the actor used the OneDrive web interface to download thousands of files in a single action. Microsoft said the same pattern was repeated across multiple compromised identities, which exposed different folders and shared directories. (microsoft.com) ### How did the breach spread from Microsoft 365 into Azure? Microsoft said privileged Azure role-based access control permissions let Storm-2949 move from identity compromise into Azure management-plane actions. The company said the actor reached Azure App Services, Key Vaults, storage accounts and SQL databases after obtaining those privileges. (socprime.com) Microsoft’s account said the actor retrieved publishing profiles from App Services, extracted secrets from Key Vaults, manipulated storage access, and changed SQL firewall rules to enable unauthorized access. The company also said the actor used VMAccess on Azure virtual machines to create local administrator accounts, extending the breach into infrastructure resources. (malware.news) ### Did the campaign stay malware-free the whole time? Microsoft said the initial cloud expansion and data theft did not rely on malware, but later stages included remote-access activity on virtual machines. Microsoft said the actor remotely executed code on VMs and, in later intrusion stages, installed ScreenConnect to support additional reconnaissance and credential theft. (socprime.com) SOC Prime, summarizing Microsoft’s research, said the later ScreenConnect deployment followed the earlier identity-driven takeover and cloud-resource access. That sequencing matters because the first signs of compromise could appear in identity, audit and control-plane logs before any software is dropped on a machine. (socprime.com) ### What should defenders look for now? Microsoft said the useful signals include password-reset activity tied to MFA approval, changes to authentication methods, Graph API discovery, unusual OneDrive or SharePoint downloads, and Azure administrative actions touching Key Vaults, storage, SQL and virtual machines. The company published indicators of compromise, Microsoft Defender XDR detections and mitigation steps in its May 18 research post. (microsoft.com) GurusDirect’s May 22 thread pointed readers to examples and indicators associated with Storm-2949 activity. Microsoft’s security blog remains the primary public source for the attack chain, detections and mitigation guidance that defenders can review now. (microsoft.com) (socprime.com)