After compromising Azure administrator accounts at several unnamed organizations, the UNC3944 threat actor leveraged the serial console on Azure virtual machines in order to gain full administrative access to VMs, install third-party remote access tools on victim environments and continue operating under the radar.
In a new analysis published on Tuesday, Mandiant researchers detailed how the financially motivated threat actor in 2022 misused a number of legitimate Azure tools and functionalities after compromising victims, including serial console, which is a remote tool that can be accessed via the Azure portal and is used for troubleshooting issues on Azure virtual machines and other purposes.
“Living off the Land attacks have become far more common as attackers have learned to make use of built-in tools to evade detection,” said Mandiant researchers. “The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer.”
UNC3944, which has been tracked by Mandiant since May 2022, has previously relied on SIM swapping attacks, email and SMS phishing attacks, and various other methods, including the use of malicious signed drivers. The group launches attacks with the aim of stealing data and in some cases uses stolen employee databases to target other users within victim organizations.
“This attacker often leverages compromised credentials of administrators or other privileged accounts for initial access,” according to researchers. The initial access in this attack “involves SMS phishing privileged users, SIM swapping, and then impersonating the users to trick help desk agents into sending a multi-factor reset code via SMS. Mandiant currently doesn’t have enough data to determine how the attacker conducts the SIM swaps.”
After compromising the Azure administrator’s account, the attackers leveraged various admin account privileges, including exporting data about the users in the tenant, gathering data about the Azure environment’s configuration, and creating or modifying accounts. The attackers then used the serial console functionality to access the administrative command prompt on an Azure VM, as the special administration console feature allows users to connect to the running OS via serial port and launch commands within that OS.
“This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM."
Researchers observed attackers using this functionality to leverage PowerShell in order to download multiple remote administration tools. Because these were legitimately signed tools, researchers said, the attacker was able to sneak under the radar without any endpoint detection platforms tipping off the victim. The tools allowed the attacker to remotely login to multiple infected systems for the purpose of reconnaissance, credential dumping, and lateral movement to additional systems with client environments, according to Mandiant.
As part of the attack, the threat actor also attempted to leverage built-in Azure Extensions, which can be executed inside a VM and have a number of legitimate functionalities, to perform reconnaissance. These extensions include CollectGuestLogs, which can be used to gather log files “for offline analysis;” Azure Network Watcher, which allows for networking performance monitoring; Guest Agent Log Collection, which enables remote gathering of various logs; the VMSnapshot extension, which allows for virtual machine backup; and Guest configuration, which helps users deploy a standardized policy.
"Before pivoting to another system, this attacker set up a reverse SSH (Secure Shell Protocol) tunnel to the attacker’s command and control (C2) server," said researchers. "Following the creation of the SSH tunnel, the attacker established a connection to the SSH tunnel using their current account or by compromising additional user accounts and leveraging them to connect to the compromised system via Remote Desktop."
The attack shows how threat actors are targeting cloud environments and using Living off the Land techniques in order to evade detection while setting up for lateral movement, persistence and more, said researchers. In August, for instance, APT29 was seen targeting various Microsoft 365 features to evade detection. As part of this attack, APT29 gained access to a global administrator account in Microsoft Entra ID, and used this access to mix benign administrative actions in with their own malicious ones.
“This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM,” according to Mandiant researchers. “Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers.”