Cloud Identity Breaches: How Storm-2949 Compromised Identities to Breach Multiple Cloud Services

Cloud security has entered a new phase where identity compromise represents the most significant threat vector. Recent research from Microsoft Threat Intelligence reveals how Storm-2949 systematically exploited cloud identities to breach multiple services, exfiltrate sensitive data, and establish persistent access across an organization's entire cloud ecosystem. This attack pattern represents a fundamental shift from traditional perimeter-based threats to identity-centric attacks that leverage legitimate cloud administrative features.

The Evolution of Cloud Attacks

What changed in the Storm-2949 campaign is its systematic approach to identity exploitation. Rather than deploying traditional malware or focusing on endpoint vulnerabilities, this threat actor demonstrated sophisticated understanding of cloud architecture and administrative controls. The attack began with targeted social engineering to abuse Microsoft's Self-Service Password Reset (SSPR) process, allowing attackers to reset user passwords and enroll their own devices as authentication factors.

This initial compromise represents a critical vulnerability in identity systems where multi-factor authentication can be circumvented through social engineering. The attackers then systematically expanded their access by compromising additional user accounts, conducting directory discovery through Microsoft Graph API, and escalating privileges through legitimate Azure features.

Multi-Cloud Provider Vulnerability Comparison

While this specific attack targeted Microsoft environments, similar vulnerabilities exist across all major cloud providers. Each platform has unique identity management systems that can be exploited through similar social engineering techniques.

Microsoft Azure and Microsoft 365: The Storm-2949 attack highlights how Azure Role-Based Access Control (RBAC) and Entra ID permissions can be weaponized. The attackers leveraged legitimate operations like microsoft.Web/sites/publishxml/action to access application publishing profiles and microsoft.storage/storageAccounts/listkeys/action to access storage credentials. These built-in administrative features, while essential for legitimate operations, become powerful tools when identity controls fail.

Amazon Web Services (AWS): AWS Identity and Access Management (IAM) faces similar challenges. While AWS offers more granular permission controls, the principle remains the same: compromised privileged credentials can lead to widespread compromise. Attackers could abuse AWS Systems Manager (SSM) Run Command, AWS CloudFormation templates, or AWS IAM credentials to achieve similar lateral movement.

Google Cloud Platform (GCP): GCP's Identity and Access Management (IAM) system, while robust, is not immune to identity compromise. Attackers could abuse Cloud IAM permissions to access Google Cloud Storage, manipulate Cloud SQL firewall rules, or exploit Google Kubernetes Engine (GKE) access patterns.

The common vulnerability across all platforms is the over-reliance on identity as the primary security control, with insufficient monitoring of administrative actions and privileged behavior.

Attack Methodology and Business Impact

The Storm-2949 attack followed a clear progression from identity compromise to full infrastructure takeover:

1. Initial Access: Social engineering and SSPR abuse compromised high-value user accounts including IT personnel and senior leadership.

2. Discovery: The attackers used automated API requests to enumerate users, applications, and service principals, identifying additional targets and mapping the environment.

3. Data Exfiltration: Large-scale data theft occurred from Microsoft 365 applications (OneDrive, SharePoint) and later from Azure resources including Storage accounts and SQL databases.

4. Persistence: The attackers established persistent access through multiple methods including MFA enrollment on attacker-controlled devices and installation of ScreenConnect remote access tools.

5. Lateral Movement: Leveraging compromised identities and legitimate Azure features, the attackers moved between cloud resources, compromising Azure App Services, Key Vaults, and virtual machines.

The business impact of such an attack extends far beyond data loss. Organizations face:

• Operational Disruption: Production applications and services can be taken offline during investigation and remediation.
• Regulatory Compliance: Data breaches may trigger mandatory notifications and regulatory penalties.
• Reputational Damage: Loss of customer trust and competitive advantage.
• Increased Insurance Costs: Security incidents often lead to higher cyber insurance premiums.
• Forensic Investigation Costs: Significant resources required to understand the full scope of compromise.

Strategic Recommendations for Cloud Security

Organizations must adopt a multi-layered security approach that addresses the specific challenges of identity-centric attacks:

Identity Protection Enhancements

Implement phishing-resistant authentication mechanisms for all privileged accounts. This includes:

• Hardware security keys for administrative access
• Certificate-based authentication for service principals
• Time-based one-time passwords (TOTP) with device attestation

Configure Conditional Access policies with:

• Device compliance requirements
• Location-based restrictions
• Risk-based authentication challenges
• Block legacy authentication protocols

Regularly audit privileged access permissions across all cloud providers, applying the principle of least privilege consistently.

Cloud Resource Hardening

For Azure environments specifically:

• Azure Storage: Implement private endpoints, disable public access, enable immutable storage for critical data, and configure Azure Storage firewalls to restrict access to trusted networks only.
• Azure Key Vault: Enable purge protection, restrict public network access, and regularly audit access policies.
• Azure App Service: Disable legacy authentication methods, enforce managed identity usage, and monitor publishing profile access.
• Azure Virtual Machines: Restrict use of VM extensions like Run Command and VMAccess through Azure Policy, and enable tamper protection for security services.

For AWS and GCP environments, implement similar controls specific to each platform's services.

Detection and Response Capabilities

Deploy security solutions that provide cross-domain visibility and correlation:

• Microsoft Defender XDR provides unified detection across endpoints, identities, and cloud resources. Its advanced hunting capabilities allow security teams to query telemetry across multiple domains using tables like CloudAuditEvents, CloudStorageAggregatedEvents, and others.
• Security Information and Event Management (SIEM) solutions should be configured to aggregate logs from all cloud providers and correlate identity events with resource access patterns.
• Cloud Security Posture Management (CSPM) tools help identify misconfigurations that could enable similar attacks.

Regularly test detection capabilities through purple team exercises that simulate identity compromise scenarios.

Operational Controls

Implement strict change management for cloud resources:

• Require multi-approval for sensitive configuration changes
• Implement just-in-time access for administrative operations
• Deploy cloud infrastructure as code with security validation
• Enable detailed logging and monitoring for all administrative actions

Conclusion

The Storm-2949 attack represents a clear evolution in cloud threat tactics, shifting from traditional malware to identity-centric attacks that leverage legitimate administrative features. This pattern affects all major cloud providers equally, as each platform relies on identity as the primary security control.

Organizations must respond by implementing defense-in-depth strategies that combine strong identity protection with granular resource controls and comprehensive monitoring. The key insight is that no single security control can prevent sophisticated attacks; instead, organizations must create multiple layers of detection and response that can identify and contain compromise even when initial defenses fail.

As cloud adoption continues to accelerate, security teams must evolve their strategies to focus on protecting identities and monitoring administrative behavior across all cloud environments. The Storm-2949 attack provides valuable lessons that can help organizations strengthen their security postures against similar threats.

For more information on securing cloud environments, refer to Microsoft's Azure Identity Management documentation, AWS security best practices, and Google Cloud security foundations.