Mandiant has identified a financially driven cybergroup known as 'UNC3944' that is utilizing phishing and SIM swapping attacks to compromise Microsoft Azure admin credentials and get access to virtual machines.
The attackers then use the Azure Serial Console to install remote management software and Azure Extensions for stealthy surveillance.
As stated by Mandiant, UNC3944 has been active since at least May 2022, and their campaign tries to collect data from victims by leveraging Microsoft's cloud computing service.
Previously, UNC3944 was credited with developing the STONESTOP (loader) and POORTRY (kernel-mode driver) toolkits for terminating security applications.
To sign their kernel drivers, the threat actors used stolen Microsoft hardware developer accounts.
The initial access to the Azure administrator's account is made with stolen credentials obtained by SMS phishing, a frequent UNC3944 method.
The attackers then impersonate the administrator when calling help desk agents in order to deceive them into delivering a multi-factor reset code to the target's phone number via SMS. However, because the attacker had previously SIM-swapped and copied the administrator's number to their device, they obtained the 2FA token without the victim being aware of the breach.
Mandiant is still investigating how the hackers carry out the SIM-changing part of their operation. Previous examples, however, have demonstrated that having the target's phone number and cooperating with dishonest telecom staff is sufficient to permit illegal number porting.
Once the attackers have gained access to the targeted organization's Azure infrastructure, they use their administrator credentials to gather information, alter existing Azure accounts, and create new ones as needed. In the following attack phase, UNC3944 employs Azure Extensions to conduct surveillance and intelligence gathering, disguise its harmful operations as seemingly innocuous daily routines, and blend in with normal activity.
Azure Extensions are "add-on" features and services that may be added to an Azure Virtual Machine (VM) to help increase capabilities, automate operations, and so on.
These extensions are secretive and less suspicious because they are executed within the VM and are often utilized for legal purposes.
In this instance, the threat actor took advantage of built-in Azure diagnostic extensions such as "CollectGuestLogs," which was utilized to collect log files from the compromised endpoint.
UNC3944 then employs Azure Serial Console to acquire administrator console access to VMs and execute commands via a command prompt via the serial port.
"This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM," explains Mandiant's report.
Mandiant discovered that the intruders use the command "whoami" to identify the presently logged-in user and obtain enough information to continue the exploitation. The reports appendix has more information on how to analyze logs for Azure Serial Console. The threat actors then use PowerShell to extend their persistence on the VM and install a slew of commercially accessible remote administrator tools that aren't mentioned in the report.
"To maintain presence on the VM, the attacker often deploys multiple commercially available remote administration tools via PowerShell," reads Mandiant's report.
"The advantage of using these tools is that they're legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms."
UNC3944's next move is to establish a reverse SSH tunnel to their C2 server in order to maintain covert and persistent access via a secure channel while bypassing network limits and security constraints.
The attacker configures the reverse tunnel with port forwarding, allowing the attacker to log in directly to the Azure VM through Remote Desktop. Any inbound connection to distant machine port 12345, for example, would be routed to local host port 3389 (distant Desktop Protocol Service Port).
Finally, the attackers utilize the credentials of a compromised user account to log in to the compromised Azure VM using the reverse shell, only then proceeding to increase their authority within the penetrated environment while stealing data.
Mandiant's attack demonstrates UNC3944's strong awareness of the Azure ecosystem and how it may use built-in capabilities to avoid detection. The risk is increased when this technical knowledge is combined with high-level social engineering abilities that assist the attackers in SIM changing.
At the same time, organizations that adopt insufficient security solutions, such as SMS-based multi-factor authentication, provide possibilities for these sophisticated threat actors due to a lack of understanding of cloud technology.
