Cybersecurity researchers have identified a sophisticated campaign where threat actors are leveraging compromised credentials to infiltrate Azure Blob Storage containers, targeting organizations\u2019 critical code repositories and sensitive data.<\/p>\n
This emerging threat exploits misconfigured storage access controls to establish persistence and exfiltrate valuable intellectual property.<\/p>\n
The attack vector represents a significant shift in how threat actors are approaching cloud infrastructure, moving beyond traditional endpoint-focused attacks toward enterprise storage systems.<\/p>\n
The campaign has been linked to multiple threat groups operating across different sectors, including finance, technology, and critical infrastructure.<\/p>\n
Microsoft analysts noted that the attacks typically begin with credential harvesting through phishing campaigns and malware-based information stealers.<\/p>\n
Once initial access is established, operators conduct reconnaissance<\/a> to identify accessible Azure Blob Storage instances with weak or default access policies.<\/p>\n The threat actors then systematically enumerate containers to locate valuable repositories, configuration files, and backup data.<\/p>\n Microsoft researchers identified<\/a> a critical component of this operation involving SharkStealer, a Golang-based infostealer that employs an advanced communication technique called EtherHiding to evade traditional detection mechanisms.<\/p>\n This malware family utilizes the BNB Smart Chain Testnet as a command-and-control dead-drop, retrieving encrypted command instructions through smart contract calls rather than direct domain-based communications.<\/p>\n The sophistication of these operations lies in how threat actors combine traditional credential theft<\/a> with blockchain-based obfuscation techniques. SharkStealer initiates contact with BNB Smart Chain nodes using Ethereum JSON-RPC calls targeting specific smart contracts.<\/p>\n The malware executes eth_call requests to predetermined contract addresses, receiving tuples containing an initialization vector and encrypted payload.<\/p>\n Using a hardcoded AES-CFB encryption key embedded within the binary, the malware decrypts the returned data to extract current C2 server coordinates.<\/p>\n This methodology creates significant detection challenges because network traffic analysis reveals only legitimate blockchain node communications, making it extremely difficult to distinguish malicious activity from benign cryptocurrency wallet interactions.<\/p>\n The use of public blockchain infrastructure as a dead-drop mechanism provides threat actors with remarkable resilience against traditional takedown operations and domain blocking strategies.<\/p>\n In observed campaigns, once SharkStealer<\/a> compromises a system, it harvests Azure credentials stored in browser caches, configuration files, and credential managers.<\/p>\n These stolen credentials grant direct access to Azure Blob Storage containers without triggering standard access controls.<\/p>\n Threat actors then establish secondary connections to Azure Storage, downloading entire repositories containing source code, API keys, and sensitive configuration data.<\/p>\n The combination of EtherHiding-based command infrastructure with Azure Storage access creates a particularly dangerous threat profile that organizations must actively defend against through credential rotation, access reviews, and monitoring<\/a> for anomalous blockchain-based communications originating from internal networks.<\/p>\n Organizations should implement strict Azure Storage authentication policies, enforce multi-factor authentication on administrative accounts, and deploy behavioral monitoring to detect unusual API access patterns.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Threat Actors Attacking Azure Blob Storage to Compromise Organizational Repositories<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nTechnical Analysis of EtherHiding Pattern in Azure Attacks<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjj7LW0CgtMudDi7VHe01_VuhBPNHDEcpYahafMN_GSSbc_BiDe395sdzZdd0JRJx1oBhygGn-mqfB53Ip5nnYuXsLdEiVAeYhULVQNabptLW6k3z8Sm-nxUmVq__GiZQHxa5sb6L9YEglPId0PHoT_U-V2GSBuJelKMUbMAREwqm_NA3VMK_xYfvdgmKI\/s16000\/Attack%2520techniques%2520that%2520abuse%2520Blob%2520Storage%2520along%2520the%2520attack%2520chain%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")