Azure Blob Storage versioning disabled
Description
AlphaSOC detected disabling of blob versioning on an Azure Storage account via
Microsoft.Storage/storageAccounts/blobServices/write. Blob versioning
maintains previous versions of blobs, enabling recovery from accidental or
malicious modifications. Disabling versioning removes this protection and may
facilitate ransomware or data manipulation attacks by preventing recovery of
original data.
Impact
Disabling blob versioning eliminates the ability to recover previous versions of modified or deleted data. Threat actors may disable versioning before encrypting or corrupting data to prevent victims from recovering unaffected versions. This undermines data protection mechanisms and increases the impact of data manipulation attacks.
Severity
| Severity | Condition |
|---|---|
Low | Blob versioning disabled |
Investigation and Remediation
Review Azure Activity logs for the
Microsoft.Storage/storageAccounts/blobServices/write action where
isVersioningEnabled is set to false. Identify the principal responsible and
the storage account affected. Verify whether this change was authorized and part
of planned infrastructure modifications.
If unauthorized, re-enable versioning on the affected storage account. Review recent modifications to stored data that may represent malicious tampering. Rotate credentials for the compromised identity.