Threat Actor Storm‑2949 Leverages Stolen Credentials for Cloud‑Wide Data Theft Across Azure Tenants
What Happened — Storm‑2949 compromised legitimate user credentials and used them to pivot across multiple Azure services, exfiltrating data from dozens of tenant environments without deploying malware. The campaign demonstrates how a single identity breach can evolve into a multi‑tenant cloud breach.
Why It Matters for TPRM —
- Credential‑based attacks bypass many traditional perimeter controls, exposing downstream vendors.
- Cloud‑wide lateral movement can affect numerous third‑party customers of a single SaaS provider.
- Absence of malware makes detection harder, increasing the risk of prolonged exposure.
Who Is Affected — Cloud service providers (especially Microsoft Azure), SaaS vendors, and any organization that relies on Azure AD for identity management.
Recommended Actions — Review and tighten privileged access management, enforce MFA for all privileged accounts, implement continuous credential‑anomaly monitoring, and validate that third‑party vendors enforce zero‑trust principles.
Technical Notes — Attack vector: stolen credentials (likely obtained via phishing or credential dumping). No known CVE; the threat leveraged legitimate API calls and Azure RBAC mis‑use. Data types exfiltrated included emails, documents, and configuration files. Source: Microsoft Security Blog