UNC3944 Threat Group Abuses Azure Series Console for Total VM Takeover
Financially motivated cyber actors have been observed abusing Microsoft Azure Serial Console on a virtual machine (VM) to install third-party remote management tools in a compromised environment.
Google’s Mandiant associates the activity with a threat group it tracks by that name UNC3944which is also known as Roasted 0ktapus and Scattered Spider.
“This attack method is unique in that it circumvents many of the traditional detection methods used in Azure and gives the attacker full administrative access to the VM,” the threat intelligence firm said.
The emerging adversary, which was first uncovered late last year, is known to be leveraging SIM swap attacks to penetrate telcos and business process outsourcing (BPO) companies since at least May 2022.
Furthermore, Mandiant also discovered UNC3944 used a loader named STONESTOP to install a maliciously signed driver named POORTRY designed to terminate processes associated with security software and delete files as part of a BYOVD attack.
It is currently unknown how threat actors perform SIM swaps, although the alleged early access methodology involves using SMS phishing messages targeting privileged users to obtain their credentials and then performing a SIM swap to receive a two-factor authentication (2FA) token to a SIM card under their control. .
Armed with enhanced access, the threat actor then moves to survey the target network with the exploit Azure VM extension such as Azure Network Watcher, Azure Windows Guest Agent, VMSnapshot, and Azure Policy guest configuration.
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
“Once the attackers complete their reconnaissance, they use the serial console functionality to get to an administrative command prompt inside the Azure VM,” Mandiant said, adding that it observed UNC3944 using PowerShell to use legitimate remote administration tools.
The development is yet another proof of the attacker taking advantage of life-from-the-ground (ManyL) techniques to defend and advance attacks, while avoiding detection.
“The attacker’s new use of serial consoles is a reminder that these attacks are no longer limited to the operating system layer,” Mandiant said.
“Unfortunately, cloud resources are often misunderstood, leading to misconfigurations that can make these assets vulnerable to attackers. While initial access methods, lateral movement, and persistence vary from attacker to attacker, one thing is clear: Attackers pay attention to the cloud.”
