Cybercriminal groups, including BianLian and Rhysida, are increasingly using Microsoft’s Azure cloud services to steal data from hacked networks. They’re taking advantage of Azure’s tools, like Storage Explorer and AzCopy, to manage and transfer large amounts of stolen data.
Azure Storage Explorer is a user-friendly tool that lets you browse and manage files in Microsoft’s Azure cloud. Meanwhile, AzCopy is a command-line tool designed to handle fast, large-scale data transfers in and out of Azure storage.
According to cybersecurity firm modePUSH, ransomware gangs are using these tools to store stolen data in Azure’s Blob storage, which is designed for managing large amounts of unstructured data. After the data is safely stored in Azure, it can later be transferred to the attackers’ own storage systems, often without being detected by the victim organization’s security measures.
Azure lure
Cybercriminals have plenty of data transfer tools at their disposal, such as Rclone for syncing files across cloud providers and MEGAsync for moving data to the MEGA cloud. So why use Azure?
Azure is a trusted platform used by many businesses, which means it’s less likely to be blocked by security tools or corporate firewalls. This makes it easier for attackers to transfer data without raising red flags. Plus, Azure can handle massive amounts of data quickly, which is useful when cybercriminals want to exfiltrate large quantities of files in a short time.
In fact, modePUSH observed that some attackers use multiple instances of Azure Storage Explorer simultaneously to speed up the data theft process.
Going the extra mile for that file
While using Azure offers big advantages for these ransomware groups, it’s not without some hurdles. For instance, attackers sometimes need to install extra software and update their systems (like upgrading .NET to version 8) to get Azure Storage Explorer to work properly. Even though this requires extra effort, the benefits of using Azure to go undetected make it worthwhile for them.
The crumb trail to see through and track threat actors
One key advantage for defenders is that when ransomware gangs use tools like AzCopy and Storage Explorer, they unknowingly generate log files that can be highly useful for incident response teams. These logs, typically saved in the %USERPROFILE%\.azcopy directory, automatically record details about file operations, such as which files were uploaded (indicated by "UPLOADSUCCESSFUL") or downloaded ("DOWNLOADSUCCESSFUL"). These logs act as a breadcrumb trail, helping investigators quickly determine what data was stolen and what other malicious actions may have taken place. By reviewing these logs, cybersecurity teams can get a clearer picture of the attackers' actions and timelines, aiding in both damage assessment and response efforts.
Keeping malicious actors at bay
To protect against these types of attacks, businesses should monitor for the use of AzCopy and keep an eye on outbound network traffic going to Azure Blob Storage, which often appears as ".blob.core.windows.net." Additionally, setting up alerts for unusual patterns in file copying or access on important servers can help detect suspicious activity early.
If your company already uses Azure, it’s also a good idea to enable the 'Logout on Exit' option in Azure Storage Explorer. This automatically signs you out of the tool when you’re done, preventing attackers from taking advantage of an active session to steal files.
Comments