Microsoft's Azure Blob Storage was on the wrong end of a recent hack, illustrating storage systems' vulnerability. Indeed, cybercriminals are at it again, and they are using Microsoft’s Azure Blob Storage service to carry out attacks. Azure Blob Storage is typically used to store and access unstructured data via both HTTP and HTTPS. When it connects through HTTPS, it shows Microsoft’s SSL certificate.
Here’s why that’s important: The cybercriminals are impersonating Microsoft. As a result, some users have encountered a well-known Microsoft Office 365 login field from a decoy website seemingly encrypted with a legitimate Microsoft SSL certificate--and ready to capture the login information entered by unsuspecting users.
“Even seasoned users who have been conditioned to look for the lock icon in the address bar can be tricked into entering their credentials,” said John Whetstone, a research architect for Cloud & Data Center Security at the independent NSS Labs.
They should have looked more closely, argues Tom Coughlin, chairman of the Storage Vision and Creative Storage Conferences. “By looking at the addresses you could see that this wasn't a valid Office 365 page, even though it appeared to have a valid SSL,” he said.
When it comes to the repercussions of such an attack, Whetstone says it can vary significantly.
“Depending on the account that was compromised, damage could range from negligible to catastrophic,” he said. “The compromise could lead to theft of intellectual property, financial records or personally identifiable information [PII]. Once a privileged account has been compromised, the sky is the limit.”
Whetstone added that unsecured BLOB storage repositories present real opportunities for bad actors looking to host malware or launch phishing campaigns. In this particular case, the Microsoft Azure storage service was chosen by the threat actor as the distribution mechanism and the certificate was created to conceal the transaction.
Clearly, Coughlin says, black hat hackers are coming up with more sophisticated forms of attacks all the time. With that in mind, it’s more important than ever to scan content carefully.
Preventing these types of attacks also requires more user education and awareness about how to recognize illegitimate URLs. In addition, security teams should arm themselves with security technologies such as cloud access security brokers (CASB), secure web gateways (SWG), multi-factor authentication (MFA) and other forms of cyber threat protection.
Netskope, a cloud security company that has discovered similar schemes, recommends that companies always check the domain of links, be able to identify common object store domains and those used by Azure blob storage, use a real-time visibility and control solution along with multi-layered threat detection and remediation, and keep systems and antivirus up to date.
