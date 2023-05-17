A Mandiant threat actor calling UNC3944 has been observed abusing privileged accounts to gain access to the Microsoft Azure Serial Console. By doing so, UNC3944 bypassed many defense and detection methods used in Azure, thereby gaining full administrative access to the text-based console for Windows virtual machines (VMs).

Mandiant researchers stated in a May 16 The blog post said UNC3944 did this by taking advantage of SIM swapping attacks through several intrusions, some of which included Azure Serial Console and other Azure extensions.

In an email response to SC Media, Mandiant researchers said UNC3944 was loosely composed of individuals from around the world, not necessarily from one location. Many members are native English speakers and perform intrusions for various motives, including financial gain, fame, and glory.

Mandiant researchers said that although they have seen these various techniques used by UNC3944 on a few occasions and first identified the group in May 2022, the techniques are not widely known to the security community. . Researchers pointed out in the blog that cloud resources are often misunderstood, leading to misconfigurations that can leave assets vulnerable to attackers.

Although the methods of initial access, lateral movement and persistence vary from attacker to attacker, one thing is clear: attackers have their eyes on the cloud, the researchers wrote.

The case shows how attackers are getting more resourceful in circumventing traditional security checks and controls, and the evolution of these attacks as the true perimeter has shifted from the endpoint and the network, and is now mobile and cloud. , explained Kern Smith, vice president of Americas, sales engineer at Zimperium.

Increasingly, these attacks are targeting users where organizations have no visibility into using traditional security tools, such as smishing, to gain the information needed to enable these types of attacks, in this case , obtain credentials and impersonate trusted machines, Smith said. It is important that organizations adapt to this development and invest in security tools that can prevent the success of these types of targeted smishing campaigns, and also do so in a way that allows their workforce , without hampering productivity or affecting user privacy.

Bud Broomhead, CEO of Viakoo, explained that the SIM swapping threat was mostly personal: a malicious actor obtains a SIM card and thwarts the AMF to empty users’ bank accounts. Broomhead said in this case, the malicious actor group (UNC3944) is also financially motivated, but operates at the enterprise (not individual) level, which expands the possibilities.

A single SIM swap from someone with administrator privileges provides endless possibilities for persistence through the creation of new accounts and the ability to move laterally within the infrastructure, Broomhead said. In this case, the threats can go far beyond direct financial gain or data exfiltration. By taking control of an organization’s Azure environment, the malicious actor can plant deepfakes, modify data, and even control IoT/OT assets that are often managed in the cloud.

Broomhead said relying on SIM-based MFA has become bad practice these days now that other forms of authentication are available, including FIDO2, Azure AD certificates and Windows Hello for Business. If an organization relies on SIM-based MFA for authentication, it must take additional security measures, Broomhead said, such as requiring the mobile account to be managed and controlled by the organization and not by the user. ‘individual.

Hacking SIM cards isn’t easy, and this threat actor may have a relationship with mobile carriers that enables this exploit, Broomhead said. Will mobile operators be liable for breaches that result in SIM card swapping? This case may make that more likely.

Roy Akerman, co-founder and CEO of Rezonate, said that while the SIM swapping technique is not new, Mandiants’ report highlights that UNC3944 has evolved to further extend its reach via compromised accounts to cloud infrastructure and Azure AD user repository.

Capabilities to live off the ground can easily turn to privilege escalation and the lateral movement of jumping between organizations’ cloud accounts and more privileged roles, which are all legitimate actions, Akerman said. No malicious code or malware is involved. This is very similar to the evolution we saw in the endpoint space several years ago with the shift to fileless malware and exploiting the system against itself.