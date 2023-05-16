



UNC3944 After compromising an anonymous organization’s Azure administrator account, the attacker leveraged a serial console on an Azure virtual machine to gain full administrative access to the VM and inject third-party security into the victim’s environment. I installed a remote access tool and continued my activities unobtrusively.

In a new analysis published Tuesday, Mandiant researchers found that financially motivated attackers in 2022 used a number of remote tools, including the serial console, a remote tool that can be accessed via the Azure portal after compromising a victim. Detailed how they abused legitimate Azure tools and features. Used for troubleshooting Azure virtual machine issues and other purposes.

According to Mandiant researchers, Living Off the Land attacks have become much more common as attackers have learned to take advantage of built-in tools to evade detection. Attackers’ novel use of the serial console is a reminder that these attacks are no longer confined to the operating system layer.

UNC3944 has been tracked by Mandiant since May 2022 and has previously relied on various other techniques including SIM swapping attacks, email and SMS phishing attacks, and the use of malicious signed drivers. . This group launches attacks with the goal of stealing data, sometimes using stolen employee databases to target other users within the victim organization.

The attackers often leverage compromised admin credentials or other privileged accounts for initial access, according to the researchers. The first access of this attack involves a privileged user phishing her by SMS, swapping SIMs, impersonating the user and tricking a helpdesk agent into sending a multi-factor reset code via SMS. Mandiant currently does not have enough data to determine how the attackers performed her SIM swap.

After compromising the Azure administrator accounts, the attackers exploited various administrator account privileges, including exporting data about users in the tenant, collecting data about Azure environment configurations, and creating or modifying accounts. The attacker then used the serial console functionality to access an administrative command prompt on the Azure VM. This is because a special management console feature allows users to connect to a running OS via a serial port and launch commands within that OS.

This attack method was unique in that it evaded many of the traditional detection methods used within Azure and gave the attacker full administrative access to the VM. ”

Researchers have observed attackers using this feature to leverage PowerShell and download multiple remote administration tools. Because these were legally signed tools, the researchers said, the attackers were able to stay under the radar without the endpoint detection platform providing information to the victim.

As part of the attack, threat actors attempted to leverage built-in Azure Extensions that can run inside VMs and have many legitimate functions to perform reconnaissance. These extensions include CollectGuestLogs which can be used to collect log files for offline analysis. Azure Network Watcher enables network performance monitoring. Guest agent log collection. Various logs can be collected remotely. VMSnapshot extension. Allows backup of virtual machines. Guest Configuration helps users deploy standardized policies.

“The attacker set up a reverse SSH (Secure Shell Protocol) tunnel to the attacker’s command and control (C2) server before migrating to another system,” the researchers said. “After creating the SSH tunnel, the attacker could use the current account or compromise additional user accounts and use them to remotely connect to the compromised system via her desktop, thereby allowing SSH A connection to the tunnel has been established.”

Researchers say the attack is about how attackers target cloud environments and use “living off the land” techniques to evade detection while preparing for lateral movement, persistence, and more. It is said that it shows For example, in August we observed APT29 targeting various Microsoft 365 features to avoid detection. As part of this attack, APT29 gained access to Azure AD global administrator accounts and used this access to mix benign administrative actions with their own malicious administrative actions.

According to Mandiant researchers, this attack method was unique in that it evaded many of the traditional detection methods employed within Azure and gave the attacker full administrative access to the VM. Unfortunately, cloud resources are often misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers.

