<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Storage - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/storage/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 18:21:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/storage/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure Storage Account Deletion Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-storage-deletion/</link><pubDate>Tue, 09 Jan 2024 18:21:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-storage-deletion/</guid><description>This brief detects the deletion of Azure Storage Accounts which can indicate malicious activity like data destruction, denial of service, or covering tracks after data exfiltration by adversaries.</description><content:encoded><![CDATA[<p>This detection identifies when an Azure Storage Account is deleted, a high-impact operation with significant consequences. Adversaries may delete storage accounts to disrupt operations, destroy evidence of their activities, or cause denial of service, potentially as part of ransomware or destructive attacks. Monitoring storage account deletions is crucial for detecting potential impact on business operations and data availability within Azure environments. The provided rule focuses on identifying storage account deletions performed by unusual users, leveraging Azure Activity Logs to pinpoint potentially malicious activity. The rule relies on the &quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE&quot; operation name and user identity information.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an Azure account through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker elevates their privileges within the Azure environment to gain the necessary permissions to manage storage accounts (requires Contributor or Owner role).</li>
<li>The attacker identifies a storage account containing sensitive data or critical application components.</li>
<li>The attacker executes the &quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE&quot; operation to delete the targeted storage account using an unusual user account.</li>
<li>Azure Activity Logs record the deletion event, including details about the user, timestamp, and resource involved.</li>
<li>The attacker attempts to cover their tracks by deleting or modifying other logs and audit trails.</li>
<li>The deletion of the storage account causes data loss, application downtime, and disruption of business operations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of Azure Storage Accounts leads to permanent data loss, impacting business operations and application availability. The number of affected victims depends on the storage account's contents and the criticality of the applications relying on it. This activity can result in significant financial losses, reputational damage, and regulatory compliance issues. The deletion of storage accounts may be part of a larger ransomware or destructive attack targeting cloud infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Azure Storage Account Deletion by Unusual User&quot; to your SIEM, using <code>logs-azure.activitylogs-*</code> index, and tune the <code>new_terms</code> field for your environment.</li>
<li>Review Azure RBAC permissions and restrict storage account deletion capabilities to authorized users only, based on the guidance in the rule documentation.</li>
<li>Configure Azure Activity Log alerts to notify security teams immediately when storage accounts are deleted, as described in the rule documentation.</li>
<li>Implement Azure Resource Locks to prevent accidental or malicious deletion of critical storage accounts, per the rule documentation.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>storage</category><category>deletion</category><category>impact</category></item><item><title>Azure Storage Account Blob Public Access Enabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-blob-public-access/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-blob-public-access/</guid><description>Detection of Azure Storage Account Blob public access being enabled, potentially allowing external access to blob containers for data exfiltration, as abused by threat actors modifying storage account settings.</description><content:encoded><![CDATA[<p>This alert focuses on detecting the enabling of public access to Azure Storage Account Blobs. This configuration change allows anonymous internet access to blob containers, bypassing typical authentication requirements. The activity is detected by monitoring for the Microsoft.Storage/storageAccounts/write operation within Azure Activity Logs.  Observed in cloud ransom-based campaigns, threat actors such as STORM-0501 have exploited this misconfiguration to expose data for exfiltration. Detecting this behavior is critical to prevent unauthorized data access and potential ransomware attacks, particularly when sensitive information is stored within Azure Blob storage.  The rule specifically looks for modifications where the <code>allowBlobPublicAccess</code> property is set to <code>true</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise:</strong> The attacker gains initial access to an Azure account, potentially through compromised credentials or a vulnerable application.</li>
<li><strong>Privilege Escalation (if needed):</strong> The attacker escalates privileges within the Azure environment to gain the necessary permissions to modify storage account settings.</li>
<li><strong>Storage Account Discovery:</strong> The attacker identifies target storage accounts containing valuable data.</li>
<li><strong>Modify Storage Account Configuration:</strong> The attacker executes the <code>Microsoft.Storage/storageAccounts/write</code> operation to modify the storage account's public access settings, specifically setting <code>allowBlobPublicAccess</code> to <code>true</code>.</li>
<li><strong>Data Exfiltration:</strong> Once public access is enabled, the attacker accesses and exfiltrates the data stored in blob containers without needing authentication.</li>
<li><strong>Lateral Movement (optional):</strong> The attacker leverages the compromised storage account to gain access to other resources within the Azure environment.</li>
<li><strong>Ransom/Extortion (in some cases):</strong> The attacker encrypts the data in the storage account and demands a ransom for its recovery, or threatens to release the exfiltrated data publicly.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Enabling public access to Azure Storage Account Blobs can lead to significant data breaches and financial losses.  Successful attacks can result in the exposure of sensitive customer data, intellectual property, or confidential business information.  The STORM-0501 campaign demonstrates how this vulnerability can be exploited in cloud ransom-based campaigns.  The impact can range from reputational damage and regulatory fines to significant operational disruptions.  The number of affected records could be substantial depending on the size and content of the exposed blob containers.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure Storage Account Public Blob Access Enabled</code> to your SIEM to detect unauthorized modifications to storage account access settings.</li>
<li>Implement Azure Policy to prevent enabling public blob access on storage accounts containing sensitive data as described in the overview.</li>
<li>Review Azure activity logs for any instances of <code>Microsoft.Storage/storageAccounts/write</code> events as outlined in the attack chain to identify potential unauthorized changes.</li>
<li>Audit all blob containers within affected storage accounts (referenced in the overview) to identify which data may have been exposed and assess the potential impact of the exposure.</li>
<li>Monitor the <code>azure.resource.name</code> field to track which storage accounts are being targeted.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>storage</category><category>data_exfiltration</category><category>cloud_security</category></item><item><title>Multiple Azure Storage Account Deletions by User</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-azure-storage-deletion/</link><pubDate>Tue, 02 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-azure-storage-deletion/</guid><description>A single user or service principal deleting multiple Azure Storage Accounts within a short time period may indicate malicious activity such as data destruction, service disruption, or a ransomware attack.</description><content:encoded><![CDATA[<p>This detection identifies when a single user or service principal deletes multiple Azure Storage Accounts within a short time period. This behavior can indicate an adversary attempting to cause widespread service disruption, destroy evidence, or execute a destructive attack such as ransomware. Mass deletion of storage accounts can have severe business impact and is rarely performed by legitimate administrators except during controlled decommissioning activities. The original Elastic detection rule was published on 2025/10/08 and updated on 2026/04/10. This threat is important for defenders because Azure Storage Accounts are critical infrastructure components that store application data, backups, and business-critical information.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an Azure account or service principal.</li>
<li>The attacker enumerates available Azure Storage Accounts within the subscription.</li>
<li>The attacker uses the Azure portal, CLI, or API to initiate deletion of multiple storage accounts.</li>
<li>Azure Activity Logs record the &quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE&quot; operations.</li>
<li>The attacker attempts to disable or delete backups to hinder recovery efforts.</li>
<li>If successful, the deletion of storage accounts results in data loss and service disruption.</li>
<li>The attacker may attempt to exfiltrate additional data before final deletion.</li>
<li>The attack aims to cause maximum impact by deleting as many storage accounts as possible in a short timeframe.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Mass deletion of storage accounts can result in significant data loss, service disruption, and financial damage. The number of affected storage accounts can vary, but the impact is generally high due to the critical nature of stored data. This attack could impact any organization using Azure Storage Accounts, including those in the technology, finance, and healthcare sectors. If successful, organizations may experience data breaches, compliance violations, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Azure Storage Account Deletions by User&quot; to your SIEM and tune for your environment.</li>
<li>Review Azure Activity Logs for the &quot;MICROSOFT.STORAGE/STORAGEACCOUNTS/DELETE&quot; operation to investigate potential mass deletion attempts.</li>
<li>Implement Azure Resource Locks on all critical storage accounts to prevent accidental or malicious deletion.</li>
<li>Configure Azure Policy to require approval workflows for storage account deletions using Azure Blueprints or custom governance solutions.</li>
<li>Enable Azure Activity Log alerts to notify security teams immediately when storage accounts are deleted.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>azure</category><category>storage</category><category>impact</category></item></channel></rss>