Threat Advisories:
Critical Cloud Threat: Azure Blob Storage Under Active Attack Operation Silk Lure Scam: When Job Hunts Leads to Malware Storm-1175’s Masterstroke Exploits CVE-2025-10035 in GoAnywhere MFT F5 BIG-IP Breach: Nation-State Hackers Expose Source Code and Undisclosed Flaws Microsoft’s October 2025 Patch Tuesday TA585 Leverages ClickFix Technique and MonsterV2 Malware Astaroth Targets Brazil Using GitHub Infrastructure CVE-2025-11371: Unpatched Gladinet Flaw Actively Exploited in the Wild Stealit’s New Trick: Packing Malware Inside Node.js Single Executables Hidden in Plain Sight: The Abuse of Nezha and the Ghost RAT That Followed UTA0388: AI-Powered Targeted Operations Leveraging GOVERSHELL Zimbra Zero-Day Hidden in “Harmless” ICS File Targets Military Service Finder Plugin Flaw Opens Door to Full Site Compromise Redis Under Siege: RediShell Flaw Opens Door to Remote Code Execution CVE-2025-61882: Oracle EBS Zero-Day Actively Exploited in the Wild Water Saci: Brazil’s WhatsApp-Borne Malware Storm Confucius Hackers Spy on Critical Sectors Using AnonDoor FunkLocker: Emerging AI-Assisted Ransomware Olymp Loader: Modular Malware Built for Rapid Exploitation VMware Aria and Tools Vulnerabilities Fixed Amid Ongoing Exploitation
Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
0:00
0:00
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure Platform
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Critical Cloud Threat: Azure Blob Storage Under Active Attack

Red | Attack Report
Download PDF

Misconfigured Azure Blob Storage Exploited for Global Data Breaches

Summary

A widespread campaign is actively targeting Microsoft Azure Blob Storage, exploiting misconfigured or publicly exposed Blob accounts, leaked credentials, and insecure automation triggers across Azure Functions and Logic Apps.

Attackers are leveraging Blob Storage vulnerabilities to gain initial access, establish persistence, and perform data discovery, exfiltration, and ransomware deployment. Azure Blob Storage, a core component for storing unstructured data such as backups, analytics datasets, and AI models, has become a prime entry point due to its frequent misconfigurations and high-value contents.

Once compromised, threat actors repurpose Blob Storage for command-and-control (C2) operations, malware distribution, and data staging, resulting in large-scale data theft, corruption, and financial loss. The observed tactics align with both financially motivated and espionage-driven threat actors, affecting organizations globally across cloud-native environments.

Attack Details

The campaign underscores how poorly secured cloud storage can expose enterprises to severe compromise.

Key Attack Stages

  1. Reconnaissance and Enumeration: Attackers begin by scanning for open storage accounts and containers using AI-assisted enumeration techniques. They also harvest leaked credentials (including Shared Access Signatures – SAS tokens) and predict vulnerable endpoints.
  2. Initial Access: Exploitation occurs through stolen keys, misconfigured blob-triggered automations, or publicly accessible containers, granting attackers direct access to internal data repositories.
  3. Persistence and Infrastructure Control:
    • Issuing long-lived tokens and modifying access policies.
    • Tampering with diagnostic logs and firewall configurations to evade detection.
    • Embedding malicious logic within blob-triggered workflows to maintain ongoing access.
  4. Data Discovery and Lateral Movement: Once inside, attackers enumerate sensitive datasets and move laterally into linked services like Azure Functions and Logic Apps to expand their foothold.
  5. Exfiltration and Impact:
    • Attackers exploit Blob Storage replication and metadata to quietly transfer data or establish C2 channels.
    • In some campaigns, the same storage is used to host malware, phishing pages, or poison AI training datasets.
    • The final stage often involves data theft, corruption, or ransomware encryption, inflicting operational and reputational damage.

This ongoing wave of cloud-centric intrusions highlights the need for strong identity management, network segmentation, and continuous monitoring across Azure workloads.

Recommendations

  1. Enable Microsoft Defender for Storage:
    Activate Microsoft Defender for Storage across all accounts to detect unusual behaviors like data exfiltration, malware uploads, and unauthorized access patterns using anomaly-based threat detection.
  2. Adopt Microsoft Entra ID (Azure AD) Authentication:
    Configure Blob Storage to rely on Microsoft Entra ID (Azure AD) for identity-based authorization instead of shared keys or SAS tokens. This enforces least-privilege access controls and mitigates credential exposure risks.
  3. Disable Anonymous and Shared Key Access:
    Disallow anonymous reads and shared key authorization—particularly for storage accounts handling sensitive workloads or AI datasets—to prevent public data leaks and key misuse.
  4. Require Secure Transfer and Network Isolation:
    Mandate HTTPS-only connections and use private endpoints, service endpoints, or network rules to limit exposure. This ensures encrypted data transfer and prevents public network access.
  5. Enable Immutability and Soft Delete Protection:
    Apply immutability policies and soft delete configurations to preserve data integrity, prevent tampering, and enable ransomware recovery in case of malicious modification or deletion.

These proactive configurations drastically reduce the risk of compromise, making Azure Blob Storage more resilient to exploitation attempts.

MITRE ATT&CK TTPs

TacticTechniqueID
Initial AccessExploit Public-Facing ApplicationT1190
ExecutionCommand and Scripting InterpreterT1059
PersistenceValid Accounts, Account ManipulationT1078, T1098
Privilege EscalationAdditional Cloud CredentialsT1098.001
Defense EvasionSpoof Security Alerting, Impair DefensesT1562.011, T1562
Credential AccessSteal Application Access Token, OS Credential DumpingT1528, T1003
DiscoveryCloud Infrastructure Discovery, Network SniffingT1580, T1040
Lateral MovementRemote Services – Cloud ServicesT1021.007
CollectionData from Cloud StorageT1530
ExfiltrationExfiltration Over Web Service, Transfer Data to Cloud AccountT1567, T1537
ImpactData Destruction, Data Encrypted for ImpactT1485, T1486
Command & ControlApplication Layer Protocol (Web Protocols)T1071.001
ReconnaissanceSearch Open Websites/Domains, Cloud Service DiscoveryT1593, T1526
Resource DevelopmentAcquire Infrastructure, Cloud AccountsT1583, T1078.004

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox