Tuesday, December 3, 2024
Homecyber securityRansomware Groups Abusing Azure Storage Explorer For Stealing Data

Ransomware Groups Abusing Azure Storage Explorer For Stealing Data

Published on

SIEM as a Service

Ransomware attackers are increasingly exfiltrating data using tools like MEGAsync and Rclone.

Shellbags analysis by modePUSH reveals their navigation of directories and file shares to find sensitive data.

Despite exfiltrating large amounts of data, attackers prioritize valuable and protected information.

- Advertisement - SIEM as a Service

The BianLian and Rhysida ransomware groups have been using Azure Storage Explorer to extract data from compromised systems.

This tool, available for various platforms, leverages AzCopy to transfer files from Azure storage, including blobs, shares, and disks.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

In one incident, BianLian copied hundreds of files from a company’s main file server using Azure Storage Explorer.

Microsoft Azure Storage Explorer

The threat actor proactively installed Azure Storage Explorer on the system, upgrading .NET to version 8 beforehand, which allowed them to store the main executable and additional files in either the user-specific or system-wide Program Files directory, depending on the installation choice.

AzCopy, a command-line utility for transferring data to and from Azure Storage, is commonly used by threat actors to exfiltrate data to Azure Blob Storage, a highly scalable and secure storage solution.

The approach is often favored due to its ability to handle large volumes of data and the low likelihood of network restrictions blocking outbound connections to Microsoft IP addresses.

Azure Blob Storage organizes data in a hierarchical structure.

Storage accounts serve as namespaces, while containers group blobs, which are individual data objects, which is analogous to buckets in other cloud providers like Amazon S3 and Google Cloud Storage.

Example of a successful upload operation in the activity view plane for Azure StorageExplore

Azure Storage Explorer uses AzCopy for file transfers and logs these operations at the INFO level by default, which can be adjusted in the tool’s settings.

For failed transfers, Azure Storage Explorer provides options to retry or view the detailed AzCopy log file.

AzCopy generates two types of logs for each job: regular and scanning, where regular logs, which are most useful for incident response, contain information like the AzCopy command and file activity details.

To detect data exfiltration, focus on UPLOADSUCCESSFUL and UPLOADFAILED events. Other events, like DOWNLOADSUCCESSFUL and DOWNLOADFAILED, can also be relevant depending on the incident.

DOWNLOADSUCCESSFUL AzCopy log entry example.

The “Logout On Exit” setting in Azure Storage Explorer is not enabled by default, allowing threat actors to easily resume previous sessions and exfiltrate data to their controlled storage accounts.

The COPYSUCCESSFUL and COPYFAILED events in the AzCopy log file provide valuable insights into these data transfer activities.

modePUSH identified attackers using Azure Storage Explorer for data exfiltration, emphasizing the need for comprehensive forensic analysis during incident response to counter evolving ransomware and data exfiltration tactics.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...