Ransomware groups are increasingly adopting new strategies for data exfiltration, with recent evidence pointing to the use of Microsoft’s Azure Storage Explorer for large-scale data theft. The trend, observed by modePUSH in their latest investigations, marks a significant shift in ransomware tactics and raises the stakes for incident response teams worldwide.
Over the past five years, data exfiltration has evolved from a rare occurrence to a common tactic in ransomware attacks. The primary goal of exfiltration is to extract sensitive information from compromised systems, providing additional leverage to threat actors during negotiations.
Ransomware groups like BianLian and Rhysida have recently been observed using Azure Storage Explorer to exfiltrate sensitive data. This Microsoft application, which offers a graphical interface for managing Azure storage, is now being repurposed by attackers for large-scale data transfers to cloud storage. modePUSH’s analysis of this tactic provides critical insights for incident responders on how to detect and mitigate these new threats.
Azure Storage Explorer – The Tool for Data Theft
Azure Storage Explorer is a Microsoft application designed to manage various Azure storage components such as blobs, file shares, and managed disks. While its primary purpose is to provide a user-friendly interface for managing storage data, threat actors have identified its potential for large-scale data transfers, exploiting it for data exfiltration.
In modePUSH’s most prolific investigation, the BianLian ransomware group used the Windows OS AMD64 version of Azure Storage Explorer to copy hundreds of files from a company’s main file server. The tool was installed on the compromised system, often requiring the threat actors to upgrade the .NET version to version 8 before proceeding with the installation.
The attackers installed Azure Storage Explorer in the following directory paths, depending on their installation choice:
%USERPROFILE%\AppData\Local\Programs\Microsoft Azure Storage ExplorerC:\Program Files\Microsoft Azure Storage Explorer
Additionally, the AzCopy executable, used for managing file transfers within Azure Storage Explorer, was located in:
app\node_modules\@azure-tools\azcopy-win64\dist\bin\azcopy_windows_amd64.exe
Why Azure Storage Explorer?
Azure Storage Explorer allows threat actors to upload files directly to a blob container within Azure Blob Storage. This storage type is optimized for handling large volumes of unstructured data, offering high scalability. Additionally, network security controls are unlikely to block outbound connections to Microsoft IP addresses hosting Azure storage accounts, making this approach highly effective for covert data exfiltration.
Azure Storage Background
To understand the implications of using Azure Storage Explorer for data exfiltration, it is essential to grasp the basics of Azure Blob Storage. It consists of three key resources:
- Storage Account: The overarching entity that provides a namespace for your data.
- Container: A logical grouping within the storage account that holds your blobs.
- Blob: The actual data object stored within a container.
This structure is similar to storage systems used by other public cloud providers, like Amazon S3 and Google Cloud Storage.
AzCopy Logging and Analysis – The Key to Detecting Data Theft
Azure Storage Explorer uses AzCopy, a command-line tool, to handle data transfers. It generates detailed logs during these transfers, offering a crucial avenue for incident responders to identify data exfiltration attempts.
By default, Azure Storage Explorer and AzCopy use the “INFO” logging level, which captures key events such as file uploads, downloads, and copies. The log entries can include:
- UPLOADSUCCESSFUL and UPLOADFAILED: Indicate the outcome of file upload operations.
- DOWNLOADSUCCESSFUL and DOWNLOADFAILED: Reveal details of files brought into the network from Azure.
- COPYSUCCESSFUL and COPYFAILED: Show copying activities across different storage accounts.
The logs are stored in the .azcopy directory within the user’s profile, offering a valuable resource for forensic analysis.
Logging Settings and Investigation Challenges
Azure Storage Explorer provides a “Logout on Exit” setting, which is disabled by default. This default setting retains any valid Azure Storage sessions when the application is reopened, potentially allowing threat actors to continue their activities even after initial investigations.
At the end of the AzCopy log file, investigators can find a summary of job activities, providing an overview of the entire data transfer operation. This final summary can be instrumental in understanding the scope of data exfiltration carried out by the attackers.
Indicators of Compromise (IOCs)
Detecting the use of Azure Storage Explorer by threat actors involves recognizing certain Indicators of Compromise (IOCs) on the system. The following paths and files may suggest the presence of data exfiltration activities:
- File Paths:
%USERPROFILE%\AppData\Local\Programs\Microsoft Azure Storage ExplorerC:\Program Files\Microsoft Azure Storage Explorer
- Executables:
StorageExplorer.exeazcopy_windows_amd64.exe
- AzCopy Log File Location:
%USERPROFILE%\.azcopy
- Network Indicator:
.blob.core.windows.net
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
