A threat actor targeting Microsoft 365 and Azure production environments is stealing data in attacks that abuse legitimate applications and administration features.
Microsoft tracks the actor as Storm-2949 and says that the purpose of the attacks is “to exfiltrate as much sensitive data from a target organization’s high-value assets as possible.”
Storm-2949 used social engineering to target users with privileged roles, such as IT personnel or members of senior leadership, and obtain their Microsoft Entra ID credentials to gain access to data in Microsoft 365 applications.
Microsoft believes that the actor abused the Self-Service Password Reset (SSPR) flow, in which an attacker initiates a password reset for a targeted employee’s account and then tricks the victim into approving multi-factor authentication (MFA) prompts.
To make the ruse more convincing, the hacker poses as an IT support employee requiring urgent verification of the account.
The hacker then reset the password, removed the MFA controls, and enrolled Microsoft Authenticator on their device.
Targeting Microsoft 365 apps
After hijacking the accounts, Storm-2949 used the Microsoft Graph API and custom Python scripts to enumerate users, roles, applications, and service principals, and to evaluate the long-term persistence opportunities in each case.
Next, they accessed OneDrive and SharePoint in Microsoft 365, searching for VPN configurations and IT operational files, looking for remote access details that could help with lateral movement from the cloud into the endpoint network.
“In one instance, Storm-2949 used the OneDrive web interface to download thousands of files in a single action to their own infrastructure,” Microsoft says.
“This pattern of data theft was repeated across all compromised user accounts, likely because different identities had access to different folders and shared directories.”
Storm-2949 expanded the attack to the victim’s Azure infrastructure, including virtual machines, storage accounts, key vaults, app services, and SQL databases.
Pivoting to Azure
According to Microsoft, the attacker compromised multiple identities that had privileged custom Azure role-based access control (RBAC) roles on multiple Azure subscriptions.
This allowed them to “uncover and extract the most sensitive assets within the victim’s Azure environment, specifically from production-based Azure subscriptions.”
By leveraging the compromised user’s privileged Azure RBAC permissions, Storm-2949 was able to obtain credentials that allowed them to deploy FTP, Web Deploy, and the Kudu console for managing Azure App services.
At this point, the actor could browse the file system, check environment variables, and execute commands remotely within the app’s context.
Storm-2949 then pivoted to Azure Key Vaults, where they modified access settings and stole dozens of secrets, including database credentials and connection strings.
The attackers also targeted Azure SQL servers and Storage accounts by changing firewall and network access rules, retrieving storage keys and SAS tokens, and exfiltrating data using custom Python scripts.
Azure VM management features such as VMAccess and Run Command were abused to create rogue administrator accounts, execute remote scripts, and steal credentials.
In the later stages of the attack, Storm-2949 deployed the ScreenConnect remote access tool on compromised systems, attempted to disable Microsoft Defender protections, and wipe forensic evidence.
Source: Microsoft
It should be noted that Microsoft uses Storm as a temporary designation for threat activity that has yet to be classified because it is new, emerging, or developing.
To defend against Storm-2949 attacks, Microsoft recommends following security hardening and best practices that include adopting the principle of least privilege, enabling conditional access policies, adding MFA protection for all users, and ensuring phishing-resistant MFA for users with privileged roles, such as administrators.
To protect cloud resources, the company advises limiting Azure RBAC permissions, keeping Azure Key Vault logs up to a year, reducing access to Key Vault, restricting public access to Key Vaults, using data protection options in Azure Storage, and monitoring for high-risk Azure management operations.
Microsoft’s report provides indicators of compromise for the observed attacks along with extensive mitigation and protection guidance.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
