Security researchers at Quarkslab have developed a new covert channel technique that exploits Microsoft’s recommended Azure Storage firewall configurations to bypass network restrictions.
Their proof-of-concept tool, named “ProxyBlob,” leverages Azure Blob Storage to create a SOCKS5 proxy, allowing attackers to establish persistent backdoor access to restricted networks.
This technique demonstrates how Microsoft’s own security recommendations for allowing wildcard connections to Azure Blob Storage can be abused to maintain stealthy connections to compromised environments.
.png
)
The Azure Storage Wildcard Vulnerability
During an assumed breach operation for a client, Quarkslab’s security team identified that while most external network connections were blocked, Microsoft services-particularly Azure Blob Storage-remained accessible through a wildcard allow rule.
The researchers discovered that jump boxes used for accessing internal services could reach any Azure Blob Storage container, despite stringent network restrictions.
“We proved that even with restrictions in place, it was still possible to reach the Internet,” notes the researcher.
“This proved that even if the file transfer feature would be disabled, a user could still be able to drop malicious files, from the Internet, on the machine by downloading them from an arbitrary Azure Blob Storage container.”
The vulnerability stems from Microsoft’s own recommendation that organizations configure outbound firewall rules allowing connections to *.blob.core.windows.net for several critical services, including Office 365 and Defender for Endpoint.
This creates an exploitable communication channel that traverses otherwise secure network boundaries.
ProxyBlob: Engineering a Covert Channel
Building on their discovery, the researchers developed ProxyBlob, a reverse SOCKS5 proxy using Azure Blob Storage as its communication medium.
The tool works by establishing a meeting point between a proxy server and an agent via Azure blobs. When a client connects to the proxy server, packets are written to a blob, then read by the agent and forwarded to the target.
ProxyBlob includes sophisticated features such as SOCKS5 protocol support (including TCP/UDP/IPv6), ChaCha20-Poly1305 encrypted data transfer, and multiple agent management through an interactive command-line interface.
While not particularly fast-achieving maximum speeds of around 1.5 Mbps during testing-the researchers note it’s “sufficient to run tools or even to perform an RDP on a remote target within the internal network.”
Security Implications for Enterprise Environments
The research highlights a significant security trade-off in Microsoft’s configuration guidance. According to the researchers, Microsoft’s documentation recommends allowing outgoing connections to *.blob.core.windows.net for at least nine widely-used services.
“This is a serious problem, as anyone can create an Azure storage account and use it to bypass the high network restrictions that follow this ‘recommended configuration,'” the researcher warns.
Unlike similar tunneling techniques that require specific access methods like RDP, ProxyBlob’s ability to function solely through Azure Blob Storage access makes it particularly concerning for security teams.
The tool enables attackers to establish deep SOCKS tunnels within target networks, facilitating lateral movement even without RDP connections.
Security professionals should reassess their Azure Storage access configurations and implement additional monitoring for suspicious blob storage traffic patterns, especially in highly secured network segments where such access might indicate compromise.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
