More attacks by the Rhysida and BianLian ransomware operations have exploited Microsoft's Azure Storage Explorer and AzCopy utilities to efficiently exfiltrate troves of data from compromised networks while better evading detection by firewalls and security tools, BleepingComputer reports.
After installing dependencies and upgrading .NET to version 8, ransomware gangs leveraged several Azure Storage Explorer instances to accelerate uploads of stolen files to Azure Blob storage before being transferred to their storage, according to a report from modePUSH. Further analysis revealed that default 'Info' level logging had been activated in both Storage Explorer and AzCopy, allowing the creation of a log file that detailed stolen data and possibly deployed payloads. Such findings, which highlight ransomware operations' mounting data exfiltration efforts, should prompt organizations to strengthen AzCopy execution and Azure Blob Storage endpoint traffic tracking, said researchers. Organizations have also been urged to enable 'Logout on Exit' for automated app signouts to curb compromise.