{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-storage/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Storage"],"_cs_severities":["medium"],"_cs_tags":["azure","exfiltration","cloud-storage","azcopy"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat involves the potential exfiltration of data from Azure Storage Accounts by abusing the AzCopy command-line utility with compromised Shared Access Signature (SAS) tokens. AzCopy is a legitimate tool for transferring data to and from Azure Storage, but adversaries can exploit it to download sensitive data if they gain access to valid SAS tokens. The activity is characterized by successful GetBlob operations originating from the AzCopy user agent and authenticated using SAS tokens. This activity is a concern for defenders because it allows attackers to bypass traditional access controls and exfiltrate data without directly compromising storage account credentials. The Elastic detection rule identifies the first occurrence of GetBlob operations from a specific storage account using this pattern.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a valid SAS token for an Azure Storage Account. This could be achieved through phishing, credential stuffing, or exploiting a misconfigured application.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AzCopy command-line utility on a compromised host or cloud instance.\u003c/li\u003e\n\u003cli\u003eAzCopy is configured with the compromised SAS token to authenticate against the target Azure Storage Account. The attacker sets the target using the storage account name.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a \u003ccode\u003eGetBlob\u003c/code\u003e request to retrieve specific blobs. They identify the target using the \u003ccode\u003eobjectKey\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Azure Storage Account logs the successful \u003ccode\u003eGetBlob\u003c/code\u003e operation. The logs include the \u003ccode\u003eAzCopy\u003c/code\u003e user agent, the SAS token authentication method, and a status code of 200.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 4 and 5 to exfiltrate multiple blobs. They may first use \u003ccode\u003eListBlobs\u003c/code\u003e or \u003ccode\u003eListContainers\u003c/code\u003e to enumerate storage contents.\u003c/li\u003e\n\u003cli\u003eThe exfiltrated data is stored on the attacker's controlled infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated data for malicious purposes, such as extortion, espionage, or financial gain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the exfiltration of sensitive data stored within the Azure Storage Account. The damage depends on the sensitivity of the data, which could include confidential business documents, customer data, or proprietary code. The number of victims depends on the scope of the affected storage account. Organizations in any sector that rely on Azure Storage Accounts are at risk. Data breaches can result in financial losses, reputational damage, and legal repercussions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Azure Storage Diagnostic Logs, specifically the \u003ccode\u003eStorageRead\u003c/code\u003e log, and stream them to an Event Hub for analysis (references: setup section of the content).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious \u003ccode\u003eGetBlob\u003c/code\u003e operations with the \u003ccode\u003eAzCopy\u003c/code\u003e user agent and SAS token authentication. Tune the rule to your environment to minimize false positives (reference: rules section below).\u003c/li\u003e\n\u003cli\u003eReview Azure Activity Logs for SAS token generation events to identify potentially compromised tokens (reference: overview section of the content).\u003c/li\u003e\n\u003cli\u003eImplement shorter expiration times and restrictive permissions on SAS tokens to limit the potential impact of compromised credentials (reference: overview section of the content).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by reviewing the \u003ccode\u003eazure.platformlogs.properties.accountName\u003c/code\u003e, \u003ccode\u003eazure.platformlogs.properties.objectKey\u003c/code\u003e, \u003ccode\u003esource.address\u003c/code\u003e, and \u003ccode\u003eazure.platformlogs.identity.tokenHash\u003c/code\u003e fields to understand the context of the activity (reference: overview section of the content).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-azure-storage-azcopy-exfiltration/","summary":"Successful GetBlob operations on Azure Storage Accounts using the AzCopy user agent with SAS token authentication can indicate data exfiltration by adversaries abusing compromised SAS tokens.","title":"Azure Storage Account Data Exfiltration via AzCopy and SAS Token Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-02-azure-storage-azcopy-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Storage","version":"https://jsonfeed.org/version/1.1"}