Wednesday, November 29, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

Microsoft Azure Serial Console Abused in UNC3944 Attacks

Researcher by Researcher
May 22, 2023
in Cybersecurity
0
Complex M&A Deals Pave Way For Security Gaps
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


After compromising Azure administrator accounts at several unnamed organizations, the UNC3944 threat actor leveraged the serial console on Azure virtual machines in order to gain full administrative access to VMs, install third-party remote access tools on victim environments and continue operating under the radar.

In a new analysis published on Tuesday, Mandiant researchers detailed how the financially motivated threat actor in 2022 misused a number of legitimate Azure tools and functionalities after compromising victims, including serial console, which is a remote tool that can be accessed via the Azure portal and is used for troubleshooting issues on Azure virtual machines and other purposes.

“Living off the Land attacks have become far more common as attackers have learned to make use of built-in tools to evade detection,” said Mandiant researchers. “The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer.”

UNC3944, which has been tracked by Mandiant since May 2022, has previously relied on SIM swapping attacks, email and SMS phishing attacks, and various other methods, including the use of malicious signed drivers. The group launches attacks with the aim of stealing data and in some cases uses stolen employee databases to target other users within victim organizations.

“This attacker often leverages compromised credentials of administrators or other privileged accounts for initial access,” according to researchers. The initial access in this attack “involves SMS phishing privileged users, SIM swapping, and then impersonating the users to trick help desk agents into sending a multi-factor reset code via SMS. Mandiant currently doesn’t have enough data to determine how the attacker conducts the SIM swaps.”

After compromising the Azure administrator’s account, the attackers leveraged various admin account privileges, including exporting data about the users in the tenant, gathering data about the Azure environment’s configuration, and creating or modifying accounts. The attackers then used the serial console functionality to access the administrative command prompt on an Azure VM, as the special administration console feature allows users to connect to the running OS via serial port and launch commands within that OS.

“This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM.”

Researchers observed attackers using this functionality to leverage PowerShell in order to download multiple remote administration tools. Because these were legitimately signed tools, researchers said, the attacker was able to sneak under the radar without any endpoint detection platforms tipping off the victim. The tools allowed the attacker to remotely login to multiple infected systems for the purpose of reconnaissance, credential dumping, and lateral movement to additional systems with client environments, according to Mandiant.

As part of the attack, the threat actor also attempted to leverage built-in Azure Extensions, which can be executed inside a VM and have a number of legitimate functionalities, to perform reconnaissance. These extensions include CollectGuestLogs, which can be used to gather log files “for offline analysis;” Azure Network Watcher, which allows for networking performance monitoring; Guest Agent Log Collection, which enables remote gathering of various logs; the VMSnapshot extension, which allows for virtual machine backup; and Guest configuration, which helps users deploy a standardized policy.

“Before pivoting to another system, this attacker set up a reverse SSH (Secure Shell Protocol) tunnel to the attacker’s command and control (C2) server,” said researchers. “Following the creation of the SSH tunnel, the attacker established a connection to the SSH tunnel using their current account or by compromising additional user accounts and leveraging them to connect to the compromised system via Remote Desktop.”

The attack shows how threat actors are targeting cloud environments and using Living off the Land techniques in order to evade detection while setting up for lateral movement, persistence and more, said researchers. In August, for instance, APT29 was seen targeting various Microsoft 365 features to evade detection. As part of this attack, APT29 gained access to a global administrator account in Azure AD, and used this access to mix benign administrative actions in with their own malicious ones.

“This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM,” according to Mandiant researchers. “Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers.”



Source link

Related articles

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
Tags: abusedAttacksAzureConsoleMicrosoftSerialUNC3944
Share76Tweet47

Related Posts

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
0

Northern Ireland’s top police officer apologized Thursday for what he described as an “industrial scale” data breach in which the...

Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
0

Enterprise IT teams are struggling to cope with three major forces of change: the evolving regulatory environment, a globally dispersed...

Decipher Podcast: Katelyn Bowden and TC Johnson

Decipher Podcast: Katelyn Bowden and TC Johnson

August 12, 2023
0

Veilid main site: https://veilid.com/ Cult of the Dead Cow site: https://cultdeadcow.com/ Source link

In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack 

In Other News: macOS Security Reports, Keyboard Spying, VPN Vulnerabilities

August 12, 2023
0

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under...

Used Correctly, Generative AI is a Boon for Cybersecurity

Used Correctly, Generative AI is a Boon for Cybersecurity

August 12, 2023
0

Adobe stock, by Busra At the Black Hat kickoff keynote on Wednesday, Jeff Moss (AKA Dark Tangent), the founder of...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
Microsoft to Block Macros by Default in Office Apps

Qakbot Email Thread Hijacking Attacks Drop Multiple Payloads

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
ID Theft Service Resold Access to USInfoSearch Data – Krebs on Security

ID Theft Service Resold Access to USInfoSearch Data – Krebs on Security

November 28, 2023
Staying safe when shopping online this holiday season

Staying safe when shopping online this holiday season

November 28, 2023
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 28/11

November 28, 2023
North Korean Hackers Exploiting Zero-day Vulnerabilities

North Korean Hackers Exploiting Zero-day Vulnerabilities

November 28, 2023

Recent Posts

ID Theft Service Resold Access to USInfoSearch Data – Krebs on Security

ID Theft Service Resold Access to USInfoSearch Data – Krebs on Security

November 28, 2023
Staying safe when shopping online this holiday season

Staying safe when shopping online this holiday season

November 28, 2023
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 28/11

November 28, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cyber Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches platform Ransomware RoundUp security Software Stories TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved