Ransomware gangs are increasingly using Microsoft’s Azure Storage Explorer and AzCopy tools to steal data from breached networks and store it in Azure Blob storage. According to cybersecurity firm modePUSH, the stolen data is then stored in an Azure Blob container in the cloud, where it can later be transferred by the threat actors.
The researchers observed that the attackers had to put extra work into getting Azure Storage Explorer working, including installing dependencies and upgrading .NET to version 8. This suggests a focus on data theft in ransomware operations, which is the main leverage for threat actors in the ensuing extortion phase.
Azure’s trusted enterprise-grade service makes it unlikely to be blocked by corporate firewalls and security tools, allowing data transfer attempts through it to go undetected. Additionally, Azure’s scalability and performance enable it to handle large volumes of unstructured data, making it beneficial for attackers attempting to exfiltrate large numbers of files in the shortest possible time.
modePUSH observed ransomware actors using multiple instances of Azure Storage Explorer to upload files to a blob container, speeding up the process as much as possible. The researchers also found that the threat actors enabled default ‘Info’ level logging when using Storage Explorer and AzCopy, creating a log file at %USERPROFILE%\.azcopy.
This log file is valuable for incident responders, containing information on file operations and allowing investigators to quickly determine what data was stolen (UPLOADSUCCESSFUL) and what other payloads were potentially introduced (DOWNLOADSUCCESSFUL).
Defense measures include monitoring for AzCopy execution, outbound network traffic to Azure Blob Storage endpoints at “.blob.core.windows.net” or Azure IP ranges, and setting alarms for unusual patterns in file copying or access on critical servers. It is also recommended to check the ‘Logout on Exit’ option to automatically sign out upon exiting the application, preventing attackers from using the active session for file theft.
Source: https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-abuse-microsoft-azure-tool-for-data-theft/