Identity-centric cloud breach: Storm-2949 demonstrates malware-free lateral movement at scale
Storm-2949 exploited stolen credentials to orchestrate a cloud-wide breach without deploying malware, relying instead on trusted cloud APIs and identity systems to move laterally and exfiltrate data. This represents a significant shift in attack methodology where defenders' own tools become weapons.
Affected
Storm-2949's operational approach inverts traditional incident response assumptions. Rather than deploying malware as the initial foothold, the threat actor obtained valid credentials and operated entirely through authenticated cloud API calls. This malware-free methodology allows the attacker to blend in with legitimate administrative traffic, making detection significantly harder for organisations reliant on endpoint-focused security controls.
The technical progression likely followed a recognisable pattern: credential compromise through phishing, password spray, or credential database leak; followed by reconnaissance using cloud CLI tools and API queries that would appear identical to legitimate administrative activity; then lateral movement through role assumption, privilege escalation, and access to sensitive data repositories. Each step would generate audit logs, but without proper baseline analysis and anomaly detection, the activity remains invisible against normal operational noise.
Organisations using Microsoft cloud services face particular exposure because the attack chain operates within their own identity and access management infrastructure. The absence of malware means traditional signature-based detection and EDR solutions provide minimal value. What matters is whether the organisation has implemented cloud-native detection: identity anomaly scoring, impossible travel analysis, unusual API call patterns from recognised service principals, and data access reviews tied to legitimate business roles.
Defenders must assume that credential compromise at scale is not a containable problem through password rotation alone. The critical control is zero-trust verification of every API call and elevated operation, coupled with real-time detection logic that flags bulk data access, cross-tenant API activity, or service principal permission escalation even when performed by recognised accounts. Organisations should audit all service principal credentials, particularly those with global admin or subscription-level permissions, and implement automatic revocation of credentials that appear in public breach databases.
Storm-2949 represents the maturation of cloud-native attack tradecraft. It demonstrates that defenders cannot rely on perimeter hardening or malware detection when attackers operate as authenticated users within the boundary. The broader implication is that cloud security requires fundamentally different architectural assumptions: assume breach at the identity layer and design detection around behaviour, not malware signatures.
Sources