{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cloud-storage/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["rclone"],"_cs_severities":["medium"],"_cs_tags":["exfiltration","rclone","cloud storage","windows"],"_cs_type":"advisory","_cs_vendors":["rclone"],"content_html":"\u003cp\u003eThis detection identifies the potential abuse of rclone, a legitimate command-line program used for managing files on cloud storage, for malicious data exfiltration. Attackers might rename rclone to masquerade it as a security or backup utility and blend it with administrative traffic. They can then use rclone's copy or sync functions with specific cloud backends (like S3) and filters to target and exfiltrate sensitive file types. The use of rclone with suspicious arguments and without legitimate configuration paths can be a strong indicator of malicious activity. This activity is observed on Windows systems. Defenders need to be aware of this technique as it allows attackers to exfiltrate data without using conventional malware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker downloads rclone to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker renames \u003ccode\u003erclone.exe\u003c/code\u003e to a less suspicious name (e.g., \u003ccode\u003eTrendFileSecurityCheck.exe\u003c/code\u003e) to evade detection based on process name.\u003c/li\u003e\n\u003cli\u003eThe attacker uses rclone's \u003ccode\u003ecopy\u003c/code\u003e or \u003ccode\u003esync\u003c/code\u003e command to initiate data transfer to a remote cloud storage service such as Amazon S3 or a web server accessible via HTTP.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003e--include\u003c/code\u003e flag to specify the file types to be exfiltrated (e.g., documents, source code, or databases).\u003c/li\u003e\n\u003cli\u003eThe attacker may use the \u003ccode\u003e--transfers\u003c/code\u003e flag to increase the number of parallel transfers, speeding up the exfiltration process.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a cron job to run rclone periodically, ensuring continuous exfiltration of data.\u003c/li\u003e\n\u003cli\u003eThe data is exfiltrated to the attacker's controlled cloud storage, completing the objective.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the exfiltration of sensitive company data, including intellectual property, financial records, or customer data. This data breach can result in financial losses, reputational damage, legal liabilities, and loss of competitive advantage. While the number of victims and sectors are unknown, the consequences of a successful data exfiltration can be severe for any organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Potential Data Exfiltration via Rclone\u0026quot; to your SIEM and tune for your environment to detect suspicious rclone activity based on process names and command-line arguments.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026quot;Rclone Process Without Standard Path\u0026quot; to alert when rclone is executed from non-standard directories, which could indicate a renamed or moved copy of the tool.\u003c/li\u003e\n\u003cli\u003eInvestigate any processes where \u003ccode\u003eprocess.pe.original_file_name\u003c/code\u003e is \u003ccode\u003erclone.exe\u003c/code\u003e but the process name is different, indicating a possible attempt to evade detection as described in the Overview.\u003c/li\u003e\n\u003cli\u003eReview rclone command-line arguments for usage of \u003ccode\u003ecopy\u003c/code\u003e or \u003ccode\u003esync\u003c/code\u003e commands in conjunction with \u003ccode\u003e--include\u003c/code\u003e or \u003ccode\u003e--exclude\u003c/code\u003e flags to identify potentially targeted data as noted in the Triage section.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events (Sysmon Event ID 1) for the execution of \u003ccode\u003erclone.exe\u003c/code\u003e or renamed copies with unusual command-line arguments, using the provided log source details.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-rclone-exfiltration/","summary":"The rule detects the abuse of rclone, a legitimate file synchronization tool, potentially renamed to evade detection, to exfiltrate data to cloud storage or remote endpoints, using copy/sync commands and specific file filters.","title":"Potential Data Exfiltration via Rclone","url":"https://feed.craftedsignal.io/briefs/2024-01-rclone-exfiltration/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Storage"],"_cs_severities":["medium"],"_cs_tags":["azure","exfiltration","cloud-storage","azcopy"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat involves the potential exfiltration of data from Azure Storage Accounts by abusing the AzCopy command-line utility with compromised Shared Access Signature (SAS) tokens. AzCopy is a legitimate tool for transferring data to and from Azure Storage, but adversaries can exploit it to download sensitive data if they gain access to valid SAS tokens. The activity is characterized by successful GetBlob operations originating from the AzCopy user agent and authenticated using SAS tokens. This activity is a concern for defenders because it allows attackers to bypass traditional access controls and exfiltrate data without directly compromising storage account credentials. The Elastic detection rule identifies the first occurrence of GetBlob operations from a specific storage account using this pattern.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a valid SAS token for an Azure Storage Account. This could be achieved through phishing, credential stuffing, or exploiting a misconfigured application.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AzCopy command-line utility on a compromised host or cloud instance.\u003c/li\u003e\n\u003cli\u003eAzCopy is configured with the compromised SAS token to authenticate against the target Azure Storage Account. The attacker sets the target using the storage account name.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a \u003ccode\u003eGetBlob\u003c/code\u003e request to retrieve specific blobs. They identify the target using the \u003ccode\u003eobjectKey\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Azure Storage Account logs the successful \u003ccode\u003eGetBlob\u003c/code\u003e operation. The logs include the \u003ccode\u003eAzCopy\u003c/code\u003e user agent, the SAS token authentication method, and a status code of 200.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 4 and 5 to exfiltrate multiple blobs. They may first use \u003ccode\u003eListBlobs\u003c/code\u003e or \u003ccode\u003eListContainers\u003c/code\u003e to enumerate storage contents.\u003c/li\u003e\n\u003cli\u003eThe exfiltrated data is stored on the attacker's controlled infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated data for malicious purposes, such as extortion, espionage, or financial gain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the exfiltration of sensitive data stored within the Azure Storage Account. The damage depends on the sensitivity of the data, which could include confidential business documents, customer data, or proprietary code. The number of victims depends on the scope of the affected storage account. Organizations in any sector that rely on Azure Storage Accounts are at risk. Data breaches can result in financial losses, reputational damage, and legal repercussions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Azure Storage Diagnostic Logs, specifically the \u003ccode\u003eStorageRead\u003c/code\u003e log, and stream them to an Event Hub for analysis (references: setup section of the content).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious \u003ccode\u003eGetBlob\u003c/code\u003e operations with the \u003ccode\u003eAzCopy\u003c/code\u003e user agent and SAS token authentication. Tune the rule to your environment to minimize false positives (reference: rules section below).\u003c/li\u003e\n\u003cli\u003eReview Azure Activity Logs for SAS token generation events to identify potentially compromised tokens (reference: overview section of the content).\u003c/li\u003e\n\u003cli\u003eImplement shorter expiration times and restrictive permissions on SAS tokens to limit the potential impact of compromised credentials (reference: overview section of the content).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by reviewing the \u003ccode\u003eazure.platformlogs.properties.accountName\u003c/code\u003e, \u003ccode\u003eazure.platformlogs.properties.objectKey\u003c/code\u003e, \u003ccode\u003esource.address\u003c/code\u003e, and \u003ccode\u003eazure.platformlogs.identity.tokenHash\u003c/code\u003e fields to understand the context of the activity (reference: overview section of the content).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-azure-storage-azcopy-exfiltration/","summary":"Successful GetBlob operations on Azure Storage Accounts using the AzCopy user agent with SAS token authentication can indicate data exfiltration by adversaries abusing compromised SAS tokens.","title":"Azure Storage Account Data Exfiltration via AzCopy and SAS Token Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-02-azure-storage-azcopy-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed - Cloud-Storage","version":"https://jsonfeed.org/version/1.1"}