Researchers have spotted a threat actor known by the name UNC3944 and were observed abusing privileged accounts to access the Microsoft Azure Serial Console.
UNC3944 has bypassed many of the defense and detection methods used within Azure, thereby gaining full access to the text-based console for Windows virtual machines. By leveraging SIM swapping attacks through multiple intrusions, some of which included the Azure Serial Console and other Azure extensions.
This attacker often leverages compromised credentials of administrators or other privileged accounts for initial access. A common tactic employed by this attacker involves SMS phishing privileged users, SIM swapping, and then impersonating the users to trick help desk agents into sending a multi-factor reset code via SMS.
Once after gaining the Azure administrator’s access, there are many actions an attacker can perform. These actions include: exporting information about the users in the tenant, gathering information about the Azure environment configuration and the various VMs, and creating or modifying accounts.
The attacker uses built-in Azure diagnostic extensions for information gathering purposes. The extension CollectGuestLogs is one such extension leveraged by the attack.
For direct administrative console access to virtual machines, UNC3944 leverages Azure Serial Console. This enables the threat actors to operate the serial port to execute commands via command prompt.
UNC3944 plans to establish a covert and continuous connection to their C2 server through a reverse SSH tunnel. This allows them to evade security measures by configuring port forwarding to enable direct access to an Azure VM via Remote Desktop.
Upon gaining unauthorized access to a target virtual machine, the attacker creates a new process, specifically C:\Windows\System32\sacsess.exe, which subsequently triggers the execution of cmd.exe.
The techniques used by UNC3944 are not widely known by the security community. The researchers pointed out that cloud resources are often poorly misunderstood, leading to misconfigurations that can leave assets vulnerable to attackers.
While methods of initial access, lateral movement, and persistence vary from one attacker to another, one thing is clear: attackers have their eyes on the cloud.The rise of LoL attacks, leveraging built-in tools to avoid detection, highlights the expanding threat landscape beyond the operating system layer.
As a recommendation, organizations to limit Rdp and refrain from using SMS as a MFA option whenever feasible to enhance security measures.