Sep 18 2024

Azure Storage Explorer: The Tool Hackers Use to Steal Your Data – Here’s How!

Category: Cloud computing,Data Breachdisc7 @ 12:43 pm

The article highlights how ransomware groups like BianLian and Rhysida are exploiting Microsoft Azure Storage Explorer for data exfiltration. Originally designed for managing Azure storage, this tool is now being repurposed by hackers to transfer stolen data to cloud storage. Attackers use Azure’s capabilities, such as AzCopy, to move large amounts of sensitive information. Security teams are advised to monitor logs for unusual activity, particularly around file transfers and Azure Blob storage connections, to detect and prevent such breaches.

For more details, visit Security Newspaper.

Azure Storage Background

To understand the implications of using Azure Storage Explorer for data exfiltration, it is essential to grasp the basics of Azure Blob Storage. It consists of three key resources:

  1. Storage Account: The overarching entity that provides a namespace for your data.
  2. Container: A logical grouping within the storage account that holds your blobs.
  3. Blob: The actual data object stored within a container.

This structure is similar to storage systems used by other public cloud providers, like Amazon S3 and Google Cloud Storage.

AzCopy Logging and Analysis – The Key to Detecting Data Theft

Azure Storage Explorer uses AzCopy, a command-line tool, to handle data transfers. It generates detailed logs during these transfers, offering a crucial avenue for incident responders to identify data exfiltration attempts.

By default, Azure Storage Explorer and AzCopy use the “INFO” logging level, which captures key events such as file uploads, downloads, and copies. The log entries can include:

  • UPLOADSUCCESSFUL and UPLOADFAILED: Indicate the outcome of file upload operations.
  • DOWNLOADSUCCESSFUL and DOWNLOADFAILED: Reveal details of files brought into the network from Azure.
  • COPYSUCCESSFUL and COPYFAILED: Show copying activities across different storage accounts.

The logs are stored in the .azcopy directory within the user’s profile, offering a valuable resource for forensic analysis.

Logging Settings and Investigation Challenges

Azure Storage Explorer provides a “Logout on Exit” setting, which is disabled by default. This default setting retains any valid Azure Storage sessions when the application is reopened, potentially allowing threat actors to continue their activities even after initial investigations.

At the end of the AzCopy log file, investigators can find a summary of job activities, providing an overview of the entire data transfer operation. This final summary can be instrumental in understanding the scope of data exfiltration carried out by the attackers.

Indicators of Compromise (IOCs)

Detecting the use of Azure Storage Explorer by threat actors involves recognizing certain Indicators of Compromise (IOCs) on the system. The following paths and files may suggest the presence of data exfiltration activities:

  • File Paths:
    • %USERPROFILE%\AppData\Local\Programs\Microsoft Azure Storage Explorer
    • C:\Program Files\Microsoft Azure Storage Explorer
  • Executables:
    • StorageExplorer.exe
    • azcopy_windows_amd64.exe
  • AzCopy Log File Location:
    • %USERPROFILE%\.azcopy
  • Network Indicator:
    • .blob.core.windows.net
Azure Storage Explorer – The Tool for Data Theft

Data Engineering on Azure

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Azure data, Azure Hacking, Azure Storage Explorer


Feb 13 2024

New Azure Hacking Campaign Steals Senior Executive Accounts

Category: Hacking,Information Securitydisc7 @ 7:25 am

An ongoing campaign of cloud account takeover has affected hundreds of user accounts, including those of senior executives, and impacted dozens of Microsoft Azure environments.

Threat actors attack users with customized phishing lures inside shared documents as part of this ongoing effort.

Some documents that have been weaponized have embedded links to “View document,” which, when clicked, take users to a malicious phishing webpage to steal sensitive information and commit financial fraud.

Attackers Targeting Wide Range Of Individuals

Threat actors appear to target a broad spectrum of people with varying titles from various organizations, affecting hundreds of users worldwide.

“The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers,” Proofpoint researchers shared with Cyber Security News.

“Individuals holding executive positions such as “Vice President, Operations,” “Chief Financial Officer & Treasurer” and “President & CEO” were also among those targeted.”

Threat actors have a realistic approach, as seen by the variety of positions they have targeted, intending to compromise accounts that have varying degrees of access to important resources and responsibilities across organizational activities. 

In this campaign, researchers observed the usage of a particular Linux user agent that attackers employed during the attack chain’s access phase.

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 

The ‘OfficeHome’ sign-in application is primarily accessed by attackers using this user-agent, along with other native Microsoft365 apps, like:

  • ‘Office365 Shell WCSS-Client’ (indicative of browser access to Office365 applications) 
  • ‘Office 365 Exchange Online’ (indicative of post-compromise mailbox abuse, data exfiltration, and email threats proliferation) 
  • ‘My Signins’ (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog) 
  • ‘My Apps’ 
  • ‘My Profile’

Attackers use their own MFA techniques to keep accessing systems permanently. Attackers choose various authentication techniques, such as registering additional phone numbers to authenticate via SMS or phone calls.

MFA manipulation events executed by attackers in a compromised cloud tenant
MFA manipulation events executed by attackers in a compromised cloud tenant

Criminals get access to and download confidential data such as user credentials, internal security protocols, and financial assets.

Mailbox access is also used to target individual user accounts with phishing threats and migrate laterally across compromised organizations.

Internal emails are sent to the impacted companies’ finance and human resources departments to commit financial fraud.

Attackers design specialized obfuscation rules to hide their activities and erase any proof of malicious activity from the inboxes of their victims.

Obfuscation mailbox rules created by attackers following successful account takeover
Obfuscation mailbox rules created by attackers following successful account takeover

“Attackers were observed employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, evading geo-fencing policies,” researchers said.

Thus, in your cloud environment, be aware of account takeover (ATO) and possible illegal access to key resources. Security solutions must offer precise and prompt identification of both initial account compromise and post-compromise actions, together with insight into services and applications that have been misused.

Hacking Executive Leadership

A Leader’s Guide to Cybersecurity: Why Boards Need to Lead–and How to Do It

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Azure Hacking