Wednesday, June 7, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

Microsoft Azure Serial Console Abused in UNC3944 Attacks

Researcher by Researcher
May 22, 2023
in Cybersecurity
0
Complex M&A Deals Pave Way For Security Gaps
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


After compromising Azure administrator accounts at several unnamed organizations, the UNC3944 threat actor leveraged the serial console on Azure virtual machines in order to gain full administrative access to VMs, install third-party remote access tools on victim environments and continue operating under the radar.

In a new analysis published on Tuesday, Mandiant researchers detailed how the financially motivated threat actor in 2022 misused a number of legitimate Azure tools and functionalities after compromising victims, including serial console, which is a remote tool that can be accessed via the Azure portal and is used for troubleshooting issues on Azure virtual machines and other purposes.

“Living off the Land attacks have become far more common as attackers have learned to make use of built-in tools to evade detection,” said Mandiant researchers. “The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer.”

UNC3944, which has been tracked by Mandiant since May 2022, has previously relied on SIM swapping attacks, email and SMS phishing attacks, and various other methods, including the use of malicious signed drivers. The group launches attacks with the aim of stealing data and in some cases uses stolen employee databases to target other users within victim organizations.

“This attacker often leverages compromised credentials of administrators or other privileged accounts for initial access,” according to researchers. The initial access in this attack “involves SMS phishing privileged users, SIM swapping, and then impersonating the users to trick help desk agents into sending a multi-factor reset code via SMS. Mandiant currently doesn’t have enough data to determine how the attacker conducts the SIM swaps.”

After compromising the Azure administrator’s account, the attackers leveraged various admin account privileges, including exporting data about the users in the tenant, gathering data about the Azure environment’s configuration, and creating or modifying accounts. The attackers then used the serial console functionality to access the administrative command prompt on an Azure VM, as the special administration console feature allows users to connect to the running OS via serial port and launch commands within that OS.

“This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM.”

Researchers observed attackers using this functionality to leverage PowerShell in order to download multiple remote administration tools. Because these were legitimately signed tools, researchers said, the attacker was able to sneak under the radar without any endpoint detection platforms tipping off the victim. The tools allowed the attacker to remotely login to multiple infected systems for the purpose of reconnaissance, credential dumping, and lateral movement to additional systems with client environments, according to Mandiant.

As part of the attack, the threat actor also attempted to leverage built-in Azure Extensions, which can be executed inside a VM and have a number of legitimate functionalities, to perform reconnaissance. These extensions include CollectGuestLogs, which can be used to gather log files “for offline analysis;” Azure Network Watcher, which allows for networking performance monitoring; Guest Agent Log Collection, which enables remote gathering of various logs; the VMSnapshot extension, which allows for virtual machine backup; and Guest configuration, which helps users deploy a standardized policy.

“Before pivoting to another system, this attacker set up a reverse SSH (Secure Shell Protocol) tunnel to the attacker’s command and control (C2) server,” said researchers. “Following the creation of the SSH tunnel, the attacker established a connection to the SSH tunnel using their current account or by compromising additional user accounts and leveraging them to connect to the compromised system via Remote Desktop.”

The attack shows how threat actors are targeting cloud environments and using Living off the Land techniques in order to evade detection while setting up for lateral movement, persistence and more, said researchers. In August, for instance, APT29 was seen targeting various Microsoft 365 features to evade detection. As part of this attack, APT29 gained access to a global administrator account in Azure AD, and used this access to mix benign administrative actions in with their own malicious ones.

“This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM,” according to Mandiant researchers. “Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers.”



Source link

Related articles

Ransomware, DDoS see major upsurge led by upstart hacker group

DDoS attacks dominate and pretexting lead to BEC growth

June 7, 2023
CISA: North Korea-Backed Actors Using Maui Ransomware

North Korean Attackers Target Google Account Credentials

June 7, 2023
Tags: abusedAttacksAzureConsoleMicrosoftSerialUNC3944
Share76Tweet47

Related Posts

Ransomware, DDoS see major upsurge led by upstart hacker group

DDoS attacks dominate and pretexting lead to BEC growth

June 7, 2023
0

In Verizon’s just-released 2023 Data Breach Investigations Report, money is king, and denial of service and social engineering still hold...

CISA: North Korea-Backed Actors Using Maui Ransomware

North Korean Attackers Target Google Account Credentials

June 7, 2023
0

North Korean threat group Kimsuky has recently launched a social engineering campaign against a number of experts specializing in North...

Sentra Raises $30 Million for DSPM Technology

KeePass Update Patches Vulnerability Exposing Master Password

June 6, 2023
0

Open source password manager KeePass was updated over the weekend to patch a vulnerability allowing attackers to retrieve the cleartext...

Zero-day MOVEit Transfer vulnerability exploited in the wild

Zero-day MOVEit Transfer vulnerability exploited in the wild

June 6, 2023
0

Shodan search engine results for internet-facing MOVEit instances. Image: Shodan The Cybersecurity & Infrastructure Security Agency has issued an alert...

New DDoS Attack Vector Abuses Content Filtering Systems

UNC4857 Exploits MOVEit Transfer Flaw in Data Extortion Attacks

June 6, 2023
0

A newly discovered threat campaign has been observed exploiting the recently uncovered, critical-severity MOVEit Transfer vulnerability in order to launch...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
Apple launches Vision Pro & more new products

Apple launches Vision Pro & more new products

June 7, 2023
Ransomware, DDoS see major upsurge led by upstart hacker group

DDoS attacks dominate and pretexting lead to BEC growth

June 7, 2023
Money20/20 Europe 2023: Day One TFT Roundup

Money20/20 Europe 2023: Day One TFT Roundup

June 7, 2023
Release date, price and more

Release date, price and more

June 7, 2023

Recent Posts

Apple launches Vision Pro & more new products

Apple launches Vision Pro & more new products

June 7, 2023
Ransomware, DDoS see major upsurge led by upstart hacker group

DDoS attacks dominate and pretexting lead to BEC growth

June 7, 2023
Money20/20 Europe 2023: Day One TFT Roundup

Money20/20 Europe 2023: Day One TFT Roundup

June 7, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches Payments platform Ransomware RoundUp security Software Stories TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved