Microsoft Azure VMs Hijacked in Cloud Cyberattack

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Azure VMs Hijacked in Cloud Cyberattack


Cybercrime group that often uses smishing for initial access bypassed traditional OS targeting and evasion techniques to directly gain access to the cloud.



A threat actor known for targeting Microsoft cloud environments now is employing the serial console feature on Azure virtual machines (VMs) to hijack the VM to install third-party remote management software within clients cloud environments.
Tracked as UNC3944 by researchers at Mandiant Intelligence, the threat group is leveraging this attack method to skirt traditional security detections employed within Azure with a living-off-the-land (LotL) attack ultimately aimed at stealing data that it can use for financial gain,
Mandiant researchers revealed in a blog post
this week.
Using one of its typical method of initial access — which involves compromising admin credentials or accessing other privileged accounts via malicious smishing campaigns — UNC3944 establishes persistence using
SIM swapping
and gains full access to the Azure tenant, the researchers said.
From there, the attacker has a number of options for malicious activity, including the exportation of information about the users in the tenant, collection of information about the Azure environment configuration and the various VMs, and creation or modification of accounts.
Mandiant has observed this attacker using their access to a highly privileged Azure account to leverage Azure Extensions for reconnaissance purposes, the researchers wrote. These extensions are executed inside of a VM and have a variety of legitimate uses.
By leveraging in particular the serial console in Microsoft Azure, UNC3944 can connect to a running OS via serial port, giving the attacker an option besides the OS to access a cloud environment.
As with other virtualization platforms, the serial connection permits remote management of systems via the Azure console, they wrote. The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer.
UNC3944 is a financially motivated threat group active since last May that typically targets Microsoft environments for ultimate financial gain. The group was previously seen in December leveraging
Microsoft-signed drivers
for post-exploitation activities.
However, once UNC3944 takes control of an Azure environment and uses LotL tactics to move within a customers cloud, the consequences go beyond mere data exfiltration or financial gain, one security expert notes.
By gaining control of an organizations Azure environment, the threat actor can plant deepfakes, modify data, and even control IoT/OT assets that are often managed within the cloud, Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, said in a statement sent to Dark Reading.
Mandiant detailed in the post how the threat actor targets the VM and ultimately installs commercially available remote management and administration tools within the Azure cloud environment to maintain presence.
The advantage of using these tools is that they’re legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms, the researchers wrote.
Before pivoting to another system, the attacker set up a reverse SSH (Secure Shell Protocol) tunnel to its command-and-control (C2) server and deployed a reverse tunnel configured such that port forwarding any inbound connection to remote machine port 12345 would be forwarded to the localhost port 3389, they explained in the post. This allowed UNC3944 a direct connection to the Azure VM via Remote Desktop, from which they can facilitate a password reset of an admin account, the researchers said.
The attack demonstrates the evolution and growth in sophistication of both attackers evasion tactics and targeting, the latter of which now goes beyond the network and the endpoint directly to mobile devices and the cloud, notes Kern Smith, vice president of Americas, sales engineering at mobile security firm Zimperium.
Increasingly, these attacks are targeting users where organizations have no visibility using traditional security tooling — such as smishing — in order to gain the information needed to enable these types of attacks, he says.
To thwart this type of threat, organizations must first prevent targeted smishing campaigns in a way that enables their workforce while not inhibiting productivity or impacting user privacy, Smith says.
Mandiant recommends restricting access to remote administration channels and disabling SMS as a multifactor authentication method wherever possible.
Additionally, Mandiant recommends reviewing user account permissions for overly permissive users and implementing appropriate
Conditional Access Authentication Strength
policies, the researchers wrote.
They also directed organizations to the
available authentication methods in Azure AD
on the Microsoft website, recommending that least-privilege access to the serial console be configured according to
Microsofts guidance
.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Azure VMs Hijacked in Cloud Cyberattack