Cybercrime group that often uses smishing for initial access bypassed traditional OS targeting and evasion techniques to directly gain access to the cloud.
May 18, 2023
A threat actor known for targeting Microsoft cloud environments now is employing the serial console feature on Azure virtual machines (VMs) to hijack the VM to install third-party remote management software within clients' cloud environments.
Tracked as UNC3944 by researchers at Mandiant Intelligence, the threat group is leveraging this attack method to skirt traditional security detections employed within Azure with a living-off-the-land (LotL) attack ultimately aimed at stealing data that it can use for financial gain, Mandiant researchers revealed in a blog post this week.
Using one of its typical method of initial access — which involves compromising admin credentials or accessing other privileged accounts via malicious smishing campaigns — UNC3944 establishes persistence using SIM swapping and gains full access to the Azure tenant, the researchers said.
From there, the attacker has a number of options for malicious activity, including the exportation of information about the users in the tenant, collection of information about the Azure environment configuration and the various VMs, and creation or modification of accounts.
"Mandiant has observed this attacker using their access to a highly privileged Azure account to leverage Azure Extensions for reconnaissance purposes," the researchers wrote. "These extensions are executed inside of a VM and have a variety of legitimate uses."
By leveraging in particular the serial console in Microsoft Azure, UNC3944 can connect to a running OS via serial port, giving the attacker an option besides the OS to access a cloud environment.
"As with other virtualization platforms, the serial connection permits remote management of systems via the Azure console," they wrote. "The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer."
UNC3944 is a financially motivated threat group active since last May that typically targets Microsoft environments for ultimate financial gain. The group was previously seen in December leveraging Microsoft-signed drivers for post-exploitation activities.
However, once UNC3944 takes control of an Azure environment and uses LotL tactics to move within a customer's cloud, the consequences go beyond mere data exfiltration or financial gain, one security expert notes.
"By gaining control of an organization's Azure environment, the threat actor can plant deepfakes, modify data, and even control IoT/OT assets that are often managed within the cloud," Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, said in a statement sent to Dark Reading.
Mandiant detailed in the post how the threat actor targets the VM and ultimately installs commercially available remote management and administration tools within the Azure cloud environment to maintain presence.
"The advantage of using these tools is that they’re legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms," the researchers wrote.
Before pivoting to another system, the attacker set up a reverse SSH (Secure Shell Protocol) tunnel to its command-and-control (C2) server and deployed a reverse tunnel configured such that port forwarding any inbound connection to remote machine port 12345 would be forwarded to the localhost port 3389, they explained in the post. This allowed UNC3944 a direct connection to the Azure VM via Remote Desktop, from which they can facilitate a password reset of an admin account, the researchers said.
The attack demonstrates the evolution and growth in sophistication of both attackers' evasion tactics and targeting, the latter of which now goes beyond the network and the endpoint directly to mobile devices and the cloud, notes Kern Smith, vice president of Americas, sales engineering at mobile security firm Zimperium.
"Increasingly, these attacks are targeting users where organizations have no visibility using traditional security tooling — such as smishing — in order to gain the information needed to enable these types of attacks," he says.
To thwart this type of threat, organizations must first prevent targeted smishing campaigns "in a way that enables their workforce while not inhibiting productivity or impacting user privacy," Smith says.
Mandiant recommends restricting access to remote administration channels and disabling SMS as a multifactor authentication method wherever possible.
"Additionally, Mandiant recommends reviewing user account permissions for overly permissive users and implementing appropriate Conditional Access Authentication Strength policies," the researchers wrote.
They also directed organizations to the available authentication methods in Azure AD on the Microsoft website, recommending that least-privilege access to the serial console be configured according to Microsoft's guidance.
Elizabeth Montalbano, Contributing Writer
Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.
You May Also Like
2024 API Security Trends & Predictions
What’s In Your Cloud?
Everything You Need to Know About DNS Attacks
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
Everything You Need to Know About DNS Attacks
Maximize the Human Potential of Your SOC
Quantifying the Gap Between Perceived Security and Comprehensive MITRE ATT&CK Coverage
Selling Breaches: The Transfer of Enterprise Network Access on Criminal Forums
Building Immunity: The 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report
Business Buyers Guide to Password Managers
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
Leave a Reply