A threat actor who has been known to target Microsoft Corp. products in the past has started using a combination of phishing and SIM-swapping attacks to take over Microsoft Azure administrative accounts to gain access to Azure Virtual Machines.

Detailed May 16 by researchers at Google LLC-owned Mandiant, the threat actor, designated UNC3944, uses the Serial Console on Azure VMs to install third-party remote management software within client environments. Hackers gaining access to Azure VMs is hardly new, but the researchers noted that the attack method is unique in that it avoided many of the traditional detection methods within Azure while giving the attacker full administrative access to the VM.

UNC3944 is a financially motivated threat group that Mandiant has been tracking since May 2022. Their tactics typically include email and SIM swapping, followed by the establishment of persistence using compromised accounts. Once through the door, UNC3944 steals data from within the victim organization’s environment.

Mandiant’s researchers have observed the attacker using access to a highly privileged Azure account to leverage Azure Extensions for reconnaissance purposes. The extensions used include built-in Azure diagnostic extensions, such as CollectGuestLogs, a tool that can “gather log files for offline analysis and preservation.” UNC3944 has also been observed to use the Azure Network Watcher extension, as well as Guest Agent Automatic Log Collection, VMSnapshot and Guest Configuration.

To maintain a presence on the VM, UNC3944 deploys commercially available remote administration tools via PowerShell. The researchers noted that the advantage of using commercially available tools is that as legitimately signed applications, they provide remote access without triggering alerts in most endpoint detection platforms.

The Mandiant researchers recommend that organizations restrict access to remote administration channels and disable SMS as a multifactor authentication method wherever possible.

“Sophisticated attacks into your network like this require a zero trust approach that employs defense in depth controls at the infrastructure and data layers,” Amit Shaked, chief executive of data security platform provider Laminar Tehnologies Inc., told SiliconANGLE. “The shift to the cloud has enabled organizations to quickly spin up data stores in buckets or blob storage and many data security and governance professionals don’t have visibility into where their sensitive data lives. This unknown or ‘shadow data,’ is… a prime target for cyber adversaries as they are not monitored and less protected.”

Image: Needpix