Ransomware Groups Use Cloud Services For Data Exfiltration
Summary:
SentinelOne's recent report, The State of Cloud Ransomware in 2024, highlights an increasing trend in ransomware actors exploiting cloud services to directly compromise their victims or exfiltrate sensitive data. In particular, cloud-based storage solutions like Amazon Web Services (AWS) Simple Storage Service (S3) and Microsoft Azure Blob Storage have emerged as prime targets. Although these services are designed to securely store, manage, and retrieve vast amounts of unstructured data, small misconfigurations could have dire consequences. For instance, AWS S3 bucket allows both read and write-level access. If not configured properly, an actor could not only access the data stored within the bucket but also upload malicious code, effectively infecting the end user.
Security Officer Comments:
Several ransomware groups have been observed exploiting cloud storage services to further their attacks. Cybersecurity firm modePUSH recently reported that BianLian and Rhysida ransomware actors are utilizing Azure Storage Explorer to exfiltrate data from compromised environments. This marks a departure from the traditional tools—such as MEGAsync and rclone—that were previously employed for data exfiltration. By using a legitimate service like Azure Storage Explorer, these actors can blend their activity with regular network traffic, making detection more challenging. Additionally, in October 2024, Trend Micro uncovered a ransomware actor masquerading as the LockBit operation, employing Amazon’s S3 storage to exfiltrate data stolen from targeted Windows and macOS systems.
Suggested Corrections:
To mitigate the risks of ransomware actors exploiting cloud storage services like Azure and AWS, organizations should implement robust security measures, including configuring cloud services with the least privileged access, enabling multi-factor authentication (MFA), and regularly auditing access logs. It's crucial to use encryption for both data at rest and in transit, and implement Data Loss Prevention (DLP) policies to block unauthorized transfers. Additionally, organizations should employ endpoint detection and response (EDR) tools, monitor network traffic for suspicious activity, and regularly review cloud configurations for misconfigurations.
Link(s):
https://www.sentinelone.com/blog/the-state-of-cloud-ransomware-in-2024/
SentinelOne's recent report, The State of Cloud Ransomware in 2024, highlights an increasing trend in ransomware actors exploiting cloud services to directly compromise their victims or exfiltrate sensitive data. In particular, cloud-based storage solutions like Amazon Web Services (AWS) Simple Storage Service (S3) and Microsoft Azure Blob Storage have emerged as prime targets. Although these services are designed to securely store, manage, and retrieve vast amounts of unstructured data, small misconfigurations could have dire consequences. For instance, AWS S3 bucket allows both read and write-level access. If not configured properly, an actor could not only access the data stored within the bucket but also upload malicious code, effectively infecting the end user.
Security Officer Comments:
Several ransomware groups have been observed exploiting cloud storage services to further their attacks. Cybersecurity firm modePUSH recently reported that BianLian and Rhysida ransomware actors are utilizing Azure Storage Explorer to exfiltrate data from compromised environments. This marks a departure from the traditional tools—such as MEGAsync and rclone—that were previously employed for data exfiltration. By using a legitimate service like Azure Storage Explorer, these actors can blend their activity with regular network traffic, making detection more challenging. Additionally, in October 2024, Trend Micro uncovered a ransomware actor masquerading as the LockBit operation, employing Amazon’s S3 storage to exfiltrate data stolen from targeted Windows and macOS systems.
Suggested Corrections:
To mitigate the risks of ransomware actors exploiting cloud storage services like Azure and AWS, organizations should implement robust security measures, including configuring cloud services with the least privileged access, enabling multi-factor authentication (MFA), and regularly auditing access logs. It's crucial to use encryption for both data at rest and in transit, and implement Data Loss Prevention (DLP) policies to block unauthorized transfers. Additionally, organizations should employ endpoint detection and response (EDR) tools, monitor network traffic for suspicious activity, and regularly review cloud configurations for misconfigurations.
Link(s):
https://www.sentinelone.com/blog/the-state-of-cloud-ransomware-in-2024/