Researchers uncovered a financially motivated threat group known as ‘UNC3944’ which employs phishing and SIM-swapping techniques to seize control of Microsoft Azure admin accounts.
Enabling them to exploit Azure’s Serial Console on VMs for persistent installation of remote management software and covert surveillance through Azure Extensions.
UNC3944, an identified threat group, has been actively operating since May 2022, as reported by Mandiant. Their primary objective is to extract sensitive data from targeted organizations by leveraging the cloud computing service of Microsoft.
The notorious UNC3944 group, known for its malicious activities, was previously linked to the development of the following toolkits:-
- STONESTOP loader
- POORTRY kernel-mode driver
While all these tools were specifically designed to disable security software, they were a significant threat to computer systems.
Initial Access
Here, to sign their kernel drivers, the threat actors have utilized stolen Microsoft hardware developer accounts through which they operated their proceedings.
For initial access, the threat actors primarily rely on the compromised credentials of administrators or other privileged accounts.
The attacker uses SMS phishing and SIM swapping to impersonate privileged users and deceive help desk agents into providing multi-factor reset codes. Still, Mandiant lacks sufficient data to identify the specifics of the SIM swapping technique.
Here below, we have mentioned all the extensions used by the attackers:-
- Azure Network Watcher
- Guest Agent Automatic Log Collection
- VMSnapshot
- Guest configuration
Technical Analysis
UNC3944 employs Azure Extensions during the subsequent attack phase, employing covert surveillance and information-gathering techniques to camouflage their malicious activities as ordinary daily operations, effectively blending in with everyday activities.
Azure Extensions are additional features and services designed to enhance the functionality and automation of Azure VMs, offering an array of additional capabilities and task-automating options when integrated.
By being executed within the virtual machine and primarily utilized for legitimate intentions, these extensions possess an inherent stealthiness, making them appear less suspicious.
The threat actor exploited the inherent capabilities of Azure diagnostic extensions, specifically the “CollectGuestLogs” function, to gather log files from the compromised endpoint.
For direct administrative console access to virtual machines, UNC3944 leverages Azure Serial Console. This enables the threat actors to operate the serial port to execute commands via command prompt.
Mandiant’s observation reveals that the initial action taken by intruders is executing the “whoami” command to determine the active user and acquire essential data for advancing their exploitation tactics.
The threat actors employ PowerShell to bolster their presence on the virtual machine (VM) and deploy various remote administrator tools intentionally omitted from the report.
UNC3944 plans to establish a covert and continuous connection to their C2 server through a reverse SSH tunnel. This allows them to evade security measures by configuring port forwarding to enable direct access to an Azure VM via Remote Desktop.
Upon gaining unauthorized access to a target virtual machine (VM), the attacker creates a new process, specifically C:WindowsSystem32sacsess.exe, which subsequently triggers the execution of cmd.exe.
Within the command prompt, the attacker executes the “whoami” command, revealing the username of the currently active user.
The rise of Living off the Land attacks, leveraging built-in tools to avoid detection, highlights the expanding threat landscape beyond the operating system layer, as demonstrated by attackers’ innovative utilization of the serial console.
Mandiant advises organizations to limit remote administration access and refrain from using SMS as a multifactor authentication option whenever feasible to enhance security measures.
This recommendation aims to mitigate potential risks by reducing exposure to unauthorized access and enhancing authentication protocols.