Threat Intelligence

Storm-2949 actor targets Microsoft 365 and Azure environments

(Credit: Selman – stock.adobe.com)

A threat actor, tracked as Storm-2949, is actively targeting Microsoft 365 and Azure production environments by abusing legitimate applications and administration features to steal sensitive data. The actor's primary objective is to exfiltrate as much data as possible from high-value assets within victim organizations. This sophisticated attack leverages social engineering and exploits identity and access management features, as reported by Bleeping Computer.

Storm-2949 initiates attacks by targeting users with privileged roles, such as IT personnel or senior leadership, using social engineering tactics to obtain their Microsoft Entra ID credentials. The actor abuses the Self-Service Password Reset (SSPR) flow, tricking victims into approving multi-factor authentication (MFA) prompts by posing as IT support. After resetting the password and removing MFA controls, the attacker enrolls Microsoft Authenticator on their device.

Subsequently, Storm-2949 uses the Microsoft Graph API and custom Python scripts to enumerate users, roles, and applications, and to identify persistence opportunities. The actor then accesses OneDrive and SharePoint to search for sensitive IT operational files and VPN configurations, facilitating lateral movement. The attack expands to Azure infrastructure, including virtual machines, storage accounts, and key vaults, where privileged Azure role-based access control (RBAC) roles are compromised to extract sensitive assets.

The actor deploys tools like FTP, Web Deploy, and the Kudu console to access file systems and execute commands, and targets Azure Key Vaults to steal secrets and connection strings. Azure SQL servers and storage accounts are also compromised, with firewall rules modified and storage keys exfiltrated. Finally, the actor uses Azure VM management features to create rogue administrator accounts and attempts to disable Microsoft Defender protections. Microsoft recommends adopting the principle of least privilege, enabling MFA, and implementing robust cloud security best practices to defend against these attacks.

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds