<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Azure Storage Account - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/azure-storage-account/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 18:21:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/azure-storage-account/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure Storage Account Deletion Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-storage-deletion/</link><pubDate>Tue, 09 Jan 2024 18:21:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-storage-deletion/</guid><description>This brief detects the deletion of Azure Storage Accounts which can indicate malicious activity like data destruction, denial of service, or covering tracks after data exfiltration by adversaries.</description><content:encoded><![CDATA[<p>This detection identifies when an Azure Storage Account is deleted, a high-impact operation with significant consequences. Adversaries may delete storage accounts to disrupt operations, destroy evidence of their activities, or cause denial of service, potentially as part of ransomware or destructive attacks. Monitoring storage account deletions is crucial for detecting potential impact on business operations and data availability within Azure environments. The provided rule focuses on identifying storage account deletions performed by unusual users, leveraging Azure Activity Logs to pinpoint potentially malicious activity. The rule relies on the &quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE&quot; operation name and user identity information.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an Azure account through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker elevates their privileges within the Azure environment to gain the necessary permissions to manage storage accounts (requires Contributor or Owner role).</li>
<li>The attacker identifies a storage account containing sensitive data or critical application components.</li>
<li>The attacker executes the &quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE&quot; operation to delete the targeted storage account using an unusual user account.</li>
<li>Azure Activity Logs record the deletion event, including details about the user, timestamp, and resource involved.</li>
<li>The attacker attempts to cover their tracks by deleting or modifying other logs and audit trails.</li>
<li>The deletion of the storage account causes data loss, application downtime, and disruption of business operations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of Azure Storage Accounts leads to permanent data loss, impacting business operations and application availability. The number of affected victims depends on the storage account's contents and the criticality of the applications relying on it. This activity can result in significant financial losses, reputational damage, and regulatory compliance issues. The deletion of storage accounts may be part of a larger ransomware or destructive attack targeting cloud infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Azure Storage Account Deletion by Unusual User&quot; to your SIEM, using <code>logs-azure.activitylogs-*</code> index, and tune the <code>new_terms</code> field for your environment.</li>
<li>Review Azure RBAC permissions and restrict storage account deletion capabilities to authorized users only, based on the guidance in the rule documentation.</li>
<li>Configure Azure Activity Log alerts to notify security teams immediately when storage accounts are deleted, as described in the rule documentation.</li>
<li>Implement Azure Resource Locks to prevent accidental or malicious deletion of critical storage accounts, per the rule documentation.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>storage</category><category>deletion</category><category>impact</category></item><item><title>Azure Storage Account Key Regeneration</title><link>https://feed.craftedsignal.io/briefs/2024-01-04-azure-storage-key-regen/</link><pubDate>Thu, 04 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-04-azure-storage-key-regen/</guid><description>Detection of Azure Storage Account key regeneration events, which can signify potential credential access or persistence attempts by adversaries aiming to gain unauthorized access or disrupt services.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of Azure Storage Account key regeneration events. Regenerating these keys can impact dependent applications and Azure services. An adversary might regenerate a storage account key to gain unauthorized access to storage resources, potentially leading to data exfiltration or service disruption. The detection rule monitors Azure activity logs for successful key regeneration operations, providing an opportunity to identify and respond to potential credential misuse. Key rotation is a normal part of operations, however, unscheduled key rotation, or key rotation from unfamiliar locations or users should be investigated.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An adversary gains initial access to an Azure account, potentially through compromised credentials or exploiting a vulnerability.</li>
<li>The adversary enumerates existing Azure storage accounts within the compromised subscription to identify potential targets.</li>
<li>The adversary authenticates to the Azure Resource Manager API using the compromised credentials or an established session.</li>
<li>The adversary executes a command to regenerate a storage account access key using the Azure CLI or PowerShell.</li>
<li>Azure Activity Logs record the event with <code>operation_name</code> as <code>MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION</code> and <code>event.outcome</code> as <code>Success</code>.</li>
<li>If successful, the adversary can then use the newly generated key to access the storage account and its contents.</li>
<li>The adversary attempts to access or download sensitive data stored within the Azure Storage Account, such as backups or proprietary files.</li>
<li>The adversary establishes persistence by using the new keys in automated scripts to access data in the storage account.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful regeneration of Azure Storage Account keys can lead to unauthorized access to sensitive data, including customer information, proprietary data, and backups. This can result in data breaches, financial loss, and reputational damage. The scope of the impact depends on the permissions associated with the compromised account and the sensitivity of the data stored in the affected storage account.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Azure Storage Account Key Regenerated&quot; to your SIEM to detect unauthorized key regenerations in Azure Activity Logs.</li>
<li>Investigate any detected instances of storage account key regeneration, especially those performed by unfamiliar users or from unusual locations, by examining the <code>event.outcome</code> and associated user activity logs.</li>
<li>Implement multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise, mitigating initial access (TA0001).</li>
<li>Review and harden Azure Storage Account access policies and permissions to adhere to the principle of least privilege, limiting the impact of potential credential compromise (T1552).</li>
<li>Establish a process for regular, documented key rotation and create exceptions in the detection rule for these known events.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>azure</category><category>credential-access</category><category>storage-account</category></item><item><title>Azure Storage Account Blob Public Access Enabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-blob-public-access/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-blob-public-access/</guid><description>Detection of Azure Storage Account Blob public access being enabled, potentially allowing external access to blob containers for data exfiltration, as abused by threat actors modifying storage account settings.</description><content:encoded><![CDATA[<p>This alert focuses on detecting the enabling of public access to Azure Storage Account Blobs. This configuration change allows anonymous internet access to blob containers, bypassing typical authentication requirements. The activity is detected by monitoring for the Microsoft.Storage/storageAccounts/write operation within Azure Activity Logs.  Observed in cloud ransom-based campaigns, threat actors such as STORM-0501 have exploited this misconfiguration to expose data for exfiltration. Detecting this behavior is critical to prevent unauthorized data access and potential ransomware attacks, particularly when sensitive information is stored within Azure Blob storage.  The rule specifically looks for modifications where the <code>allowBlobPublicAccess</code> property is set to <code>true</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise:</strong> The attacker gains initial access to an Azure account, potentially through compromised credentials or a vulnerable application.</li>
<li><strong>Privilege Escalation (if needed):</strong> The attacker escalates privileges within the Azure environment to gain the necessary permissions to modify storage account settings.</li>
<li><strong>Storage Account Discovery:</strong> The attacker identifies target storage accounts containing valuable data.</li>
<li><strong>Modify Storage Account Configuration:</strong> The attacker executes the <code>Microsoft.Storage/storageAccounts/write</code> operation to modify the storage account's public access settings, specifically setting <code>allowBlobPublicAccess</code> to <code>true</code>.</li>
<li><strong>Data Exfiltration:</strong> Once public access is enabled, the attacker accesses and exfiltrates the data stored in blob containers without needing authentication.</li>
<li><strong>Lateral Movement (optional):</strong> The attacker leverages the compromised storage account to gain access to other resources within the Azure environment.</li>
<li><strong>Ransom/Extortion (in some cases):</strong> The attacker encrypts the data in the storage account and demands a ransom for its recovery, or threatens to release the exfiltrated data publicly.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Enabling public access to Azure Storage Account Blobs can lead to significant data breaches and financial losses.  Successful attacks can result in the exposure of sensitive customer data, intellectual property, or confidential business information.  The STORM-0501 campaign demonstrates how this vulnerability can be exploited in cloud ransom-based campaigns.  The impact can range from reputational damage and regulatory fines to significant operational disruptions.  The number of affected records could be substantial depending on the size and content of the exposed blob containers.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure Storage Account Public Blob Access Enabled</code> to your SIEM to detect unauthorized modifications to storage account access settings.</li>
<li>Implement Azure Policy to prevent enabling public blob access on storage accounts containing sensitive data as described in the overview.</li>
<li>Review Azure activity logs for any instances of <code>Microsoft.Storage/storageAccounts/write</code> events as outlined in the attack chain to identify potential unauthorized changes.</li>
<li>Audit all blob containers within affected storage accounts (referenced in the overview) to identify which data may have been exposed and assess the potential impact of the exposure.</li>
<li>Monitor the <code>azure.resource.name</code> field to track which storage accounts are being targeted.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>storage</category><category>data_exfiltration</category><category>cloud_security</category></item></channel></rss>