CTI Swarm
Zurück zu allen Deep Dives
MICROSOFT SECURITY BLOG

How Storm-2949 turned a compromised identity into a cloud-wide breach

Strategische Zusammenfassung

Storm-2949 utilized a single compromised identity to escalate into a cloud-wide breach, demonstrating how initial access can expand rapidly without proper controls. The attackers exploited weak network restrictions and misconfigured Azure Storage to move laterally and exfiltrate data. Microsoft advises implementing hardened configurations, continuous monitoring, and strict policies to prevent such attacks.

Key Findings

  • A compromised identity served as the entry point for Storm-2949, leading to a full cloud compromise through lateral movement.
  • Insufficient firewall rules and overly permissive access controls allowed attackers to access resources from untrusted networks.
  • Lack of continuous policy enforcement and monitoring enabled privilege escalation and prolonged undetected activity.
  • Misconfigurations in Azure Storage security, such as inadequate data protection, facilitated data exfiltration.
  • The incident underscores the necessity of identity protection, network segmentation, and proactive cloud security measures.

Volltext

Microsoft Threat Intelligence has been tracking Storm-2949, a financially motivated actor that has pivoted in the last quarter from opportunistic phishing toward targeted hands-on-keyboard intrusions inside Azure tenants. In every case observed so far, the initial access path was a single user identity compromised through MFA fatigue or token theft via an Adversary-in-the-Middle (AiTM) proxy.

Once inside, Storm-2949 enumerates the tenant using legitimate Microsoft Graph endpoints. The actor consistently avoids running custom binaries on managed endpoints; instead, they live in the control plane — Azure CLI, Azure PowerShell, and direct REST calls from compromised browser sessions. This shifts detection responsibility from EDR onto identity and cloud telemetry.

Lateral movement in two recently investigated incidents leveraged storage account keys that had been generated for legacy applications and then never rotated. With those keys, the actor copied gigabytes of project data into attacker-controlled storage in another tenant. Network restrictions on the source storage accounts were either missing or set to 'AllNetworks', which made egress trivial.

Microsoft recommends that defenders prioritize three controls in this order: enforce phishing-resistant MFA for all human identities, disable shared-key authorization on storage accounts and migrate consumers to managed identities, and gate sensitive accounts behind Conditional Access policies that require compliant devices.