The article highlights how ransomware groups like BianLian and Rhysida are exploiting Microsoft Azure Storage Explorer for data exfiltration. Originally designed for managing Azure storage, this tool is now being repurposed by hackers to transfer stolen data to cloud storage. Attackers use Azure’s capabilities, such as AzCopy, to move large amounts of sensitive information. Security teams are advised to monitor logs for unusual activity, particularly around file transfers and Azure Blob storage connections, to detect and prevent such breaches.
For more details, visit Security Newspaper.
Azure Storage Background
To understand the implications of using Azure Storage Explorer for data exfiltration, it is essential to grasp the basics of Azure Blob Storage. It consists of three key resources:
- Storage Account: The overarching entity that provides a namespace for your data.
- Container: A logical grouping within the storage account that holds your blobs.
- Blob: The actual data object stored within a container.
This structure is similar to storage systems used by other public cloud providers, like Amazon S3 and Google Cloud Storage.
AzCopy Logging and Analysis – The Key to Detecting Data Theft
Azure Storage Explorer uses AzCopy
, a command-line tool, to handle data transfers. It generates detailed logs during these transfers, offering a crucial avenue for incident responders to identify data exfiltration attempts.
By default, Azure Storage Explorer and AzCopy
use the “INFO” logging level, which captures key events such as file uploads, downloads, and copies. The log entries can include:
- UPLOADSUCCESSFUL and UPLOADFAILED: Indicate the outcome of file upload operations.
- DOWNLOADSUCCESSFUL and DOWNLOADFAILED: Reveal details of files brought into the network from Azure.
- COPYSUCCESSFUL and COPYFAILED: Show copying activities across different storage accounts.
The logs are stored in the .azcopy
directory within the user’s profile, offering a valuable resource for forensic analysis.
Logging Settings and Investigation Challenges
Azure Storage Explorer provides a “Logout on Exit” setting, which is disabled by default. This default setting retains any valid Azure Storage sessions when the application is reopened, potentially allowing threat actors to continue their activities even after initial investigations.
At the end of the AzCopy
log file, investigators can find a summary of job activities, providing an overview of the entire data transfer operation. This final summary can be instrumental in understanding the scope of data exfiltration carried out by the attackers.
Indicators of Compromise (IOCs)
Detecting the use of Azure Storage Explorer by threat actors involves recognizing certain Indicators of Compromise (IOCs) on the system. The following paths and files may suggest the presence of data exfiltration activities:
- File Paths:
%USERPROFILE%\AppData\Local\Programs\Microsoft Azure Storage Explorer
C:\Program Files\Microsoft Azure Storage Explorer
- Executables:
StorageExplorer.exe
azcopy_windows_amd64.exe
- AzCopy Log File Location:
%USERPROFILE%\.azcopy
- Network Indicator:
.blob.core.windows.net
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot