Storm-2949 Exploits Microsoft Entra ID in Large-Scale Cloud Data Theft Campaign A sophisticated cloud attack campaign by the threat actor Storm-2949 has targeted Microsoft Entra ID accounts, enabling large-scale data theft from Microsoft 365 and Azure environments without relying on traditional malware. The campaign, uncovered recently, highlights a shift in attacker tactics abusing legitimate cloud management tools to infiltrate and exfiltrate sensitive data across SaaS, PaaS, and IaaS layers. ### Attack Execution Storm-2949 gained initial access through social engineering, exploiting Microsoft’s Self-Service Password Reset process. Attackers impersonated IT support staff, tricking users into approving fraudulent multi-factor authentication (MFA) prompts. Once approved, they reset passwords, removed existing authentication methods, and registered their own devices, locking out legitimate users. After establishing a foothold, the attackers used custom Python scripts and Microsoft Graph API queries to enumerate privileged accounts. They then targeted OneDrive and SharePoint, bulk-downloading sensitive files, including VPN configurations and remote access procedures. ### Azure Compromise & Lateral Movement With compromised accounts holding privileged Azure RBAC permissions, Storm-2949 moved into Azure environments, targeting: - Key Vaults (extracting database credentials and secrets) - Storage accounts (manipulating access settings to generate Shared Access Signature tokens) - SQL databases (altering firewall rules to enable unauthorized access) - Azure Virtual Machines (deploying VMAccess extensions to create backdoor admin accounts and installing ScreenConnect after disabling Microsoft Defender) The attackers exfiltrated large volumes of data over several days, then cleared Windows event logs and removed forensic artifacts to evade detection. ### Impact & Indicators of Compromise (IoCs) The campaign demonstrates how threat actors now prioritize cloud identities and control-plane access over device-level exploits. Microsoft’s report confirms the attackers’ focus on high-value assets, including IT staff and senior leadership accounts, suggesting prior reconnaissance. Known IoCs: - IP Addresses: - `176.123.4[.]44` - `91.208.197[.]87` - `185.241.208[.]243` (ScreenConnect infrastructure)

Microsoft Uncovers Sophisticated Phishing Campaigns Abusing OAuth 2.0 Redirects Microsoft has identified a series of phishing attacks targeting government and public-sector organizations by exploiting OAuth 2.0’s redirection features in Microsoft Entra ID and Google Workspace. Unlike traditional credential theft, these campaigns bypass email filters by weaponizing trusted authentication protocols to deliver malware. ### Attack Mechanics Threat actors register malicious apps in their tenant, configuring redirect URIs to point to phishing or malware-hosting domains. Phishing emails disguised as e-signature requests, Teams invites, or password resets lure victims into clicking links that trigger a silent OAuth flow. By manipulating parameters like `prompt=none` and `scope=invalid`, attackers force error redirects without user interaction, masking malicious URLs from scanners. The `state` parameter encodes the victim’s email in Base64, hex, or custom schemes, auto-populating phishing pages for realism. Once clicked, victims are redirected to tools like EvilProxy for session hijacking or prompted to download a ZIP file containing a malicious LNK file. This executes PowerShell for host reconnaissance, then sideloads `crashhandler.dll` via a legitimate `steam_monitor.exe` process to establish command-and-control (C2) communication. ### Detection & Indicators The attack does not exploit vulnerabilities but abuses OAuth 2.0 protocol behavior as outlined in RFC 6749/9700. Key indicators include: - URL Parameters: `prompt=none`, `scope=invalid` (triggers silent redirects) - File Artifacts: `steam_monitor.exe`, `crashhandler.dll`, `crashlog.dat` (DLL sideloading) - Defender Signatures: `Trojan:Win32/Malgent`, `Trojan:Win32/Znyonm`, `Trojan:Win32/WinLNK` - Error Codes: `65001`, `error=interaction_required` (failed SSO, successful redirect) ### Mitigation Strategies Microsoft recommends OAuth governance over patching, including: - App Audits: Regularly review overprivileged OAuth applications. - Access Controls: Enforce Conditional Access and identity protection. - Telemetry & Hunting: Use XDR for cross-signal correlation, flagging anomalies like PowerShell execution from LNK files or DLL sideloading. The campaign underscores the growing trend of protocol abuse in phishing, where attackers leverage legitimate features to evade detection.

ShinyHunters Claims Data Breaches at Panera Bread, CarMax, Edmunds, and More The extortion group ShinyHunters has alleged large-scale data theft from multiple organizations, including Panera Bread, CarMax, and Edmunds, as part of a broader campaign targeting corporate credentials. According to claims reviewed by The Register and shared on the dark web, the group exfiltrated over 14 million records from Panera Bread including names, email addresses, phone numbers, and account details totaling 760 MB of compressed data. CarMax and Edmunds were also reportedly breached, with 500,000+ records (1.7 GB) and "millions" of records (12 GB), respectively, containing similar personally identifiable information (PII). ShinyHunters stated it accessed Panera’s systems via a Microsoft Entra single-sign-on (SSO) code, while the CarMax and Edmunds breaches stemmed from earlier, unrelated intrusions. The group’s claims align with previous activity by Scattered Lapsus$ Hunters, a linked threat actor that posted CarMax data on a now-defunct leak site last fall, citing compromises in Salesforce environments. The campaign extends beyond these three companies. Last week, ShinyHunters added Crunchbase, SoundCloud, and Betterment to its list of victims, claiming over 50 million records stolen in total. Access to Crunchbase and Betterment was reportedly gained through voice-phishing attacks targeting Okta SSO credentials, a tactic Okta warned about in recent advisories. Betterment confirmed an unauthorized intrusion on January 9, where attackers used social engineering to access third-party marketing platforms and send fraudulent crypto-related messages to customers. Security researchers have observed the group’s expanding operations. Silent Push reported that ShinyHunters’ latest credential-stealing campaign targeted around 100 organizations in the past 30 days, though it remains unconfirmed how many attacks succeeded. Meanwhile, Mandiant is tracking a "new, ongoing ShinyHunters-branded campaign" leveraging voice-phishing to harvest SSO credentials. None of the named companies Panera Bread, CarMax, Edmunds, Crunchbase, or Betterment have publicly responded to the claims. Microsoft and Google stated they had no indication their products were directly affected by the phishing campaign. The incidents underscore the growing threat of social engineering attacks bypassing multi-factor authentication (MFA) to compromise corporate systems.

Panera Bread suffered a major data breach exposing sensitive customer information, including Social Security numbers, addresses, birth dates, and passcodes, from 73 million accounts (current and former customers). The breach occurred in two phases: March 30, 2024, and July 12, 2024, with hackers downloading data from a third-party cloud platform and leaking it on the dark web. The incident led to consolidated state and federal lawsuits, alleging negligence in cybersecurity measures. Customers faced risks of identity theft, fraud, and financial losses, with compensation claims categorized into tiers: up to $500 for ordinary losses (e.g., credit monitoring), $2,500 for time spent resolving issues, and $6,500 for documented extraordinary losses. The breach severely damaged customer trust and exposed the company to legal and reputational consequences.