Microsoft Unveils Storm-2949 Cyberattack, Compromising Cloud Infrastructure and Sensitive Data
Microsoft threat intelligence has revealed critical details regarding a sophisticated cyberattack attributed to a threat actor designated as Storm-2949. This incident escalated from an initial targeted identity compromise to a significant breach of cloud infrastructure and sensitive enterprise systems. The operation primarily focused on data theft from Microsoft 365 services, Azure-hosted production environments, and cloud storage resources, underscoring the vulnerabilities that compromised identities can introduce to an organization’s cloud ecosystem.
Two-Stage Attack Unfolding
According to Microsoft, the attack transpired in two main phases: the first involved identity compromise, followed by a more extensive takeover of cloud infrastructure. Rather than employing traditional malware or conventional on-premises attack strategies, the attackers exploited legitimate cloud administration tools and Azure management features. This allowed them to blend into normal operational activities while gaining access to high-value systems.
Exploitation of MFA Reset Processes
The attackers initially targeted employees using social engineering techniques linked to Microsoft’s Self-Service Password Reset (SSPR) process. Investigators believe that Storm-2949 impersonated internal IT support personnel, convincing victims to approve multifactor authentication (MFA) requests under the pretense of routine account verification or password resets.
Upon a targeted user responding to the MFA prompts, the attackers reset account passwords and removed existing authentication methods, including phone numbers, email addresses, and Microsoft Authenticator registrations. This effectively neutralized MFA protections, locking legitimate users out of their accounts. The attackers then registered their own devices for Microsoft Authenticator access, ensuring persistent control over the compromised accounts.
Microsoft reported that this process was repeated against multiple employees, including IT staff and senior leadership, indicating a deliberate targeting of users with elevated access privileges.
After gaining access, Storm-2949 initiated directory discovery operations using Microsoft Graph API queries executed through a custom Python script. The attackers enumerated users, applications, and service principals within the Microsoft Entra ID tenant to identify privileged accounts and map potential paths for expanding access.
Expansion into Microsoft 365 Services
The campaign quickly expanded into Microsoft 365 services such as OneDrive and SharePoint. The attackers focused particularly on sensitive IT-related documents involving VPN configurations and remote access procedures, suggesting they were searching for methods to move laterally into other environments.
In one notable instance, Storm-2949 utilized the OneDrive web interface to download thousands of files in a single operation. Similar exfiltration activities occurred across multiple compromised accounts, likely due to each user account having access to different shared folders and repositories.
Targeting Azure Key Vaults and SQL Servers
With several compromised identities under their control, the attackers shifted their focus to Azure subscriptions linked to the organization’s production environment. The compromised accounts reportedly possessed privileged custom Azure role-based access control (RBAC) permissions, allowing broader access to Azure services and infrastructure.
Microsoft indicated that the attackers targeted Azure App Services, Key Vaults, Storage accounts, SQL databases, and virtual machines. One of their primary objectives involved compromising a production Azure App Service web application that contained sensitive data.
After several unsuccessful attempts to directly access the primary application due to network and gateway restrictions, the attackers pivoted to secondary applications within the same ecosystem, including authentication services and internal APIs. Utilizing privileged Azure RBAC permissions, they exploited the “microsoft.Web/sites/publishxml/action” management-plane operation to retrieve publishing profiles containing deployment credentials for services such as FTP, Web Deploy, and the Kudu management console.
Kudu, an administrative interface for Azure App Services, enabled the attackers to inspect environment variables, browse application files, and execute commands within compromised applications. However, Microsoft noted that these secondary services did not provide the level of access or sensitive information the attackers ultimately sought.
Storm-2949 then redirected its efforts toward Azure Key Vault resources. One compromised account held the Owner role over a Key Vault believed to contain credentials linked to the primary production application. Within a four-minute period, the attackers altered Key Vault access settings and accessed dozens of secrets, including database connection strings and identity credentials.
Microsoft believes these secrets ultimately enabled access to the main production web application. After successfully authenticating, the attackers changed the application password to maintain control and began exfiltrating sensitive data.
The campaign also involved attacks against Azure SQL servers and Storage accounts. To gain access to SQL infrastructure, the attackers modified firewall rules through the “microsoft.sql/servers/firewallrules/write” operation, then connected using credentials retrieved from the compromised Key Vault. Once data exfiltration was completed, the altered firewall rules were deleted in what Microsoft described as a defense-evasion tactic.
Similarly, the attackers manipulated Azure Storage account network access configurations through the “microsoft.storage/storageaccounts/write” operation, enabling public access from attacker-controlled IP addresses. They also used the “microsoft.Storage/storageAccounts/listkeys/action” operation to retrieve storage account keys and Shared Access Signature (SAS) tokens.
Using a custom Python script built on the Azure Storage SDK, Storm-2949 downloaded large volumes of data directly from Azure Storage accounts over several days. Microsoft reported that the attackers alternated between OAuth-based authentication and secret-based authentication methods as defensive controls evolved.
Weaponization of Cloud Management Features
Virtual machines also became a target. The attackers exploited Azure VM extensions, including VMAccess and Run Command, to establish administrator-level access on compromised systems. By deploying the VMAccess extension, they created new local administrator accounts on targeted VMs.
The attackers attempted to exploit managed identities assigned to virtual machines by requesting access tokens from the Azure Instance Metadata Service (IMDS). They then tried using those tokens to access production-related Key Vaults, but these attempts failed due to insufficient permissions.
Additional Run Command activity involved deploying PowerShell scripts designed to disable Microsoft Defender Antivirus protections, including real-time monitoring and behavior-based detection. The scripts also attempted to interfere with security services, clear Windows event logs, erase command histories, and remove temporary files to reduce forensic visibility.
Microsoft reported that the attackers installed ScreenConnect remote management software from infrastructure under their control, disguising the installation to resemble legitimate Windows software updates. The malicious service was renamed to mimic authentic Windows components in an effort to avoid detection.
The attackers later used ScreenConnect to perform reconnaissance activities across compromised systems, including collecting host configuration data, enumerating users and groups, searching for exposed credentials, and exfiltrating .pfx certificate files that may have contained private keys useful for future access.
Despite extensive activity on endpoint systems, investigators found limited evidence that Storm-2949 successfully obtained high-value endpoint data. Microsoft stated that the endpoint compromises primarily served operational purposes such as credential harvesting, reconnaissance, and expanding access throughout the victim’s environment.
Throughout the intrusion, Microsoft Defender generated multiple alerts that enabled analysts to correlate cloud, identity, and endpoint telemetry into a unified investigation. Microsoft emphasized that the incident illustrates the growing importance of integrated detection and response capabilities as attackers increasingly target cloud identities and management planes rather than relying solely on traditional endpoint-focused attacks.
Source: thecyberexpress.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
