Threat Actor Bypasses Detection, Protections In Microsoft Azure Serial Console

A threat actor Mandiant calls UNC3944 was observed abusing privileged accounts to access the Microsoft Azure Serial Console. In doing so, UNC3944 bypassed many of the defense and detection methods used within Azure, thereby gaining full administrative access to the text-based console for Windows virtual machines (VMs).

Mandiant researchers said in a May 16 blog post said that UNC3944 did this by leveraging SIM swapping attacks through multiple intrusions, some of which included the Azure Serial Console and other Azure extensions.  

In an email response to SC Media, the Mandiant researchers said UNC3944 is “loosely comprised of individuals from around the world — not necessarily one location. Many members are native English speakers and they conduct intrusions for various motivations, including financial gain and fame and glory.”

The Mandiant researchers said that while they’ve seen these various techniques used by UNC3944 a few times and first identified the group in May 2022, the techniques are not widely known by the security community. The researchers pointed out in the blog that cloud resources are often poorly misunderstood, leading to misconfigurations that can leave assets vulnerable to attackers.

“While methods of initial access, lateral movement, and persistence vary from one attacker to another, one thing is clear: attackers have their eyes on the cloud,” the researchers wrote.

The case shows how attackers are becoming more ingenious about bypassing traditional security checks and controls, and the evolution of these attacks as the true perimeter has moved from being the endpoint and network, and is now mobile and cloud, explained Kern Smith, vice president of Americas, sales engineering at Zimperium.

“Increasingly, these attacks target users where organizations have no visibility into using traditional security tooling, such as smishing, to gain the information needed to enable these types of attacks, in this case gain credentials and impersonate trusted machines,” said Smith. “It’s important that organizations adapt to this evolution, and invest in security tools that can prevent these types of targeted smishing campaigns from being successful, and also do so in a way that enables their workforce, while not inhibiting productivity, or impacting user privacy.”

Bud Broomhead, chief executive officer at Viakoo, explained that the threat of SIM swapping has mainly been personal: a threat actor gets a SIM and thwarts MFA to drain the user’s bank account. Broomhead said in this case, the threat actor group (UNC3944) is also financially motivated, but operating at a corporate level (not individual), making the possibilities more extensive.

“A single SIM swap of someone with administrator privileges provides endless opportunities for persistence through creation of new accounts and ability to move laterally within the infrastructure,” said Broomhead. “The threats in this case can go far beyond direct financial gain or data exfiltration. By gaining control of an organization’s Azure environment, the threat actor can plant deepfakes, modify data, and even control IoT/OT assets that are often managed within the cloud.” 

Broomhead said relying on SIM-based MFA has become a bad practice these days, now that other forms of authentication are available, including FIDO2, Azure AD certificates, and Windows Hello for Business.  If an organization relies on a SIM-based MFA for authentication they should take additional security steps, said Broomhead, such as requiring that the mobile account gets managed and controlled by the organization and not the individual.

“Hijacking SIMs is not easy and this threat actor may have a relationship with mobile operators that enables this exploit,” Broomhead said. “Will mobile operators be liable for breaches that result in SIM swapping? This case may make that more likely.” 

Roy Akerman, co-founder and CEO of Rezonate, said while the SIM swapping technique is not new, Mandiant’s report highlights that UNC3944 evolved to further expand its reach via compromised accounts to cloud infrastructure and the Azure AD user repository.

“Living-off-the-land capabilities can easily turn to privilege escalation and lateral movement of jumping between organization’s cloud accounts and higher-privileged roles that are all legitimate actions,” Akerman said. “No malicious code or malware is involved. This is very similar to the evolution we’ve seen in the endpoint space several years back on the shift to fileless ‘malware’ and leveraging the system against itself.”

READ MORE HERE