Highlights:

  • Since May 2022, Mandiant has kept tabs on the financially motivated threat group UNC3944.
  • UNC3944 uses PowerShell to deploy commercially available remote administration tools in order to keep an active presence on the VM.

Phishing and SIM-swapping attacks are now being used by a threat actor who has been known to target Microsoft Corp. products in the past to hijack Microsoft Azure administrative accounts and gain access to Azure Virtual Machines.

Researchers at the Google LLC-owned Mandiant disclosed on May 16 that the threat actor identified as UNC3944 uses the Serial Console on Azure VMs to deploy remote management software in client environments. Hackers gaining access to Azure VMs is nothing new. However, the researchers did point out that the attack strategy is unique. It avoided many of the conventional detection techniques within Azure while giving the attacker full administrative access to the VM.

Mandiant has been monitoring UNC3944, a threat group with a financial incentive, since May 2022. They frequently use SIM and email swapping as a part of their strategies, which are followed by the establishment of persistence using hacked accounts. Once inside, UNC3944 enters the victim organization’s environment and steals data.

Researchers at Mandiant have observed an adversary using a highly privileged Azure account to conduct reconnaissance using Azure Extensions. The extensions used include built-in Azure diagnostic extensions such as CollectGuestLogs, an application that can “gather log files for offline analysis and preservation.” In addition, UNC3944 has been observed utilizing the Azure Network Watcher extension, Guest Agent Automatic Log Collection, VMSnapshot, and Guest Configuration.

UNC3944 uses PowerShell to deploy commercially available remote administration tools in order to keep an active presence on the VM. According to the researchers, the benefit of using commercially available tools is that they offer remote access as legally signed applications without setting off alarms in most endpoint detection platforms.

Researchers from Mandiant recommend that businesses restrict who has access to remote administration channels and, whenever it’s practical, disable SMS as a multifactor authentication method.

Chief Executive of data security platform provider Laminar Tehnologies Inc., Amit Shaked, told a leading media house, “Sophisticated attacks into your network like this require a zero trust approach that employs defense in depth controls at the infrastructure and data layers. The shift to the cloud has enabled organizations to spin up data stores in buckets or blob storage quickly, and many data security and governance professionals don’t have visibility into where their sensitive data lives. This unknown or ‘shadow data’ is… a prime target for cyber adversaries as they are not monitored and less protected.”