Using the access to virtual machines the attackers employed malicious use of the Serial Console on Azure Virtual Machines to install third-party remote management software within client environments. Financially motivated threat actor UNC3944 is using phishing and SIM swapping attacks to take over Microsoft Azure admin accounts and gain access to virtual machines (VM), according to cybersecurity firm Mandiant.Using access to virtual machines the attackers employed malicious use of the Serial Console on Azure Virtual Machines to install third-party remote management software within client environments, Mandiant said in a blog.UNC3944 has been active since May 2022. The threat actor has been observed carrying out SIM-swapping attacks followed by the establishment of persistence using compromised accounts.Once persistence has been established, UNC3944 has been seen modifying and stealing data from within the victim organization’s environment. “This threat group heavily relies on email and SMS phishing attacks and has also been observed attempting to phish other users within an organization once they’ve gained access to employee databases,” Mandiant said. Smishing used by threat actorsThe threat actor leverages compromised credentials of administrators or other privileged accounts for initial access. A common tactic employed by this attacker involves smishing of privileged users, SIM swapping, and then impersonating the users to trick helpdesk agents into sending a multi-factor reset code via SMS, Mandiant said.Once the threat actor has gained access to the Azure administrator’s account, it gains full access to the Azure tenant as administrator accounts have global privileges granted. With full access to the tenant, the threat actor can export information about the users in the tenant, gather information about the Azure environment configuration and the various VMs, and create or modify accounts. Mandiant researchers have observed the threat actor using their access to a highly privileged Azure account to leverage Azure Extensions for reconnaissance purposes.Using extensions for information gathering After gaining access to the Azure environment, the threat actor uses the built-in Azure diagnostic extensions for information-gathering purposes, Mandiant said. Azure Extensions are additional features and services that can be integrated into an Azure Virtual Machine to expand capabilities and automate tasks. The extension CollectGuestLogs which can be used to gather log files for offline analysis and preservation is one such extension leveraged by the threat actor.“Once the attacker completes their reconnaissance, they employ the Serial Console functionality to gain an administrative command prompt inside of an Azure VM,” Mandiant said. The threat actor then runs a command which identifies the name of the currently logged-in user.“To maintain a presence on the VM, the attacker often deploys multiple commercially available remote administration tools via PowerShell,” Mandiant said, adding that the advantage of using these tools is that they’re legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms. UNC3944 also creates a reverse SSH tunnel to their command and control server, to maintain access via a secure channel and bypass network restrictions and security controls. The reverse tunnel is configured with port forwarding, facilitating a direct connection to Azure Virtual Machine via Remote Desktop. “Following the creation of the SSH tunnel, the attacker established a connection to the SSH tunnel using their current account or by compromising additional user accounts and leveraging them to connect to the compromised system via Remote Desktop,” Mandiant said.Living off the land attacksLiving off the land attacks like these have become far more common as attackers have learned to make use of built-in tools to evade detection, Mandiant said. “The novel use of the Serial Console by attackers is a reminder that these attacks are no longer limited to the operating system layer.” In living off the land attacks, attackers use legitimate tools within the victim’s systems to carry out their attacks.Mandiant is recommending that organizations restrict access to remote administration channels and disable SMS as a multifactor authentication method wherever possible. It is also recommended to review user account permissions for overly permissive users and implement appropriate Conditional Access Authentication Strength policies. Related content news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Regulation Government news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware feature How a digital design firm navigated its SOC 2 audit L+R's pursuit of SOC 2 certification was complicated by hardware inadequacies and its early adoption of AI, but a successful audit has provided security and business benefits. By Alex Levin Nov 28, 2023 11 mins Certifications Compliance news GE investigates alleged data breach into confidential projects: Report General Electric has confirmed that it has started an investigation into the data breach claims made by IntelBroker. By Shweta Sharma Nov 27, 2023 3 mins Data Breach Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe