Azure Storage Account Blob Public Access Enabled
Detection of Azure Storage Account Blob public access being enabled, potentially allowing external access to blob containers for data exfiltration, as abused by threat actors modifying storage account settings.
This alert focuses on detecting the enabling of public access to Azure Storage Account Blobs. This configuration change allows anonymous internet access to blob containers, bypassing typical authentication requirements. The activity is detected by monitoring for the Microsoft.Storage/storageAccounts/write operation within Azure Activity Logs. Observed in cloud ransom-based campaigns, threat actors such as STORM-0501 have exploited this misconfiguration to expose data for exfiltration. Detecting this behavior is critical to prevent unauthorized data access and potential ransomware attacks, particularly when sensitive information is stored within Azure Blob storage. The rule specifically looks for modifications where the allowBlobPublicAccess property is set to true.
Attack Chain
- Initial Compromise: The attacker gains initial access to an Azure account, potentially through compromised credentials or a vulnerable application.
- Privilege Escalation (if needed): The attacker escalates privileges within the Azure environment to gain the necessary permissions to modify storage account settings.
- Storage Account Discovery: The attacker identifies target storage accounts containing valuable data.
- Modify Storage Account Configuration: The attacker executes the
Microsoft.Storage/storageAccounts/writeoperation to modify the storage account's public access settings, specifically settingallowBlobPublicAccesstotrue. - Data Exfiltration: Once public access is enabled, the attacker accesses and exfiltrates the data stored in blob containers without needing authentication.
- Lateral Movement (optional): The attacker leverages the compromised storage account to gain access to other resources within the Azure environment.
- Ransom/Extortion (in some cases): The attacker encrypts the data in the storage account and demands a ransom for its recovery, or threatens to release the exfiltrated data publicly.
Impact
Enabling public access to Azure Storage Account Blobs can lead to significant data breaches and financial losses. Successful attacks can result in the exposure of sensitive customer data, intellectual property, or confidential business information. The STORM-0501 campaign demonstrates how this vulnerability can be exploited in cloud ransom-based campaigns. The impact can range from reputational damage and regulatory fines to significant operational disruptions. The number of affected records could be substantial depending on the size and content of the exposed blob containers.
Recommendation
- Deploy the Sigma rule
Azure Storage Account Public Blob Access Enabledto your SIEM to detect unauthorized modifications to storage account access settings. - Implement Azure Policy to prevent enabling public blob access on storage accounts containing sensitive data as described in the overview.
- Review Azure activity logs for any instances of
Microsoft.Storage/storageAccounts/writeevents as outlined in the attack chain to identify potential unauthorized changes. - Audit all blob containers within affected storage accounts (referenced in the overview) to identify which data may have been exposed and assess the potential impact of the exposure.
- Monitor the
azure.resource.namefield to track which storage accounts are being targeted.
Detection coverage 2
Azure Storage Account Public Blob Access Enabled
mediumDetects when Azure Storage Account Blob public access is enabled.
Azure Storage Account Modified by Unusual User Agent
lowDetects modifications to Azure Storage Accounts made by unusual user agents, potentially indicating malicious activity.
Detection queries are available on the platform. Get full rules →