Phishing and SIM swapping attacks are being used by a financially driven cybergang, “UNC3944”, to take control of Microsoft Azure admin accounts and access virtual machines. From there, the attackers use Azure Extensions for covert surveillance and the Azure Serial Console to install remote management software for persistence.
According to Mandiant, UNC3944 has been operating since at least May 2022, and their operation attempts to use Microsoft’s cloud computing service to steal data from their target enterprises. The STONESTOP (loader) and POORTRY (kernel-mode driver) tools for terminating security applications were formerly credited to UNC3944. To sign their kernel drivers, the threat actors used accounts belonging to Microsoft hardware developers that had been hijacked.
The Azure administrator’s account is initially accessed using stolen credentials obtained by SMS phishing, a frequent UNC3944 strategy. To receive a multi-factor reset code sent to the target’s phone number, the attackers pretend to be the administrator when speaking with help desk representatives. However, the victim was unaware of the breach since the attacker had already SIM-swapped and copied the administrator’s number to their device. As a result, they were able to get the 2FA token.
Mandiant has not yet discovered how the hackers carry out the shifting of SIM cards portion of their operation. However, prior instances have demonstrated that facilitating illegitimate number ports requires knowledge of the target’s phone number and collusion with dishonest telecom staff. Once the attackers have gained access to the targeted company’s Azure infrastructure, they employ their administrator rights to gather data, make necessary changes to existing Azure accounts, or create new ones.
In the subsequent phase of the attack, UNC3944 employs Azure Extensions to perform surveillance, acquire data, disguise their destructive activities as routine, apparently innocent everyday activities, and blend in. Azure Extensions are “add-on” functions and services that may be added to an Azure Virtual Machine (VM) to increase functionality, automate processes, etc. These extensions are covert and less suspicious because they are often employed for legal reasons and run inside the VM.
In this instance, the threat actor took advantage of “CollectGuestLogs,” one of the built-in Azure diagnostic extensions, to gather log files from the compromised endpoint. Mandiant has also discovered indications that the threat actor tried to misuse the extra extensions. UNC3944 then accesses VMs’ administrative consoles using Azure Serial Console and issues commands via a command prompt over the serial port.
“This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM,” explains Mandiant’s report.
Mandiant observed that the hackers use the command “whoami” as their initial action to identify the user who is presently signed in and obtain data necessary for their subsequent exploitation. The reports appendix has further details on examining logs for Azure Serial Console. The threat actors then install many commercially accessible remote administrator tools not included in the report and use PowerShell to improve their persistence on the VM.
“To maintain presence on the VM, the attacker often deploys multiple commercially available remote administration tools via PowerShell,” reads Mandiant’s report. “The advantage of using these tools is that they’re legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms.”
The next step for UNC3944 is to build a reverse SSH tunnel to their C2 server so that they may get around network constraints and security measures while still maintaining covert and persistent access. The attacker can connect directly to an Azure VM using Remote Desktop by configuring the reverse tunnel with port forwarding. For instance, any incoming connection to port 12345 of a remote system would be routed to port 3389 of a local host (Remote Desktop Protocol Service Port). The attackers then spread their influence within the penetrated environment, taking data along the way, using the credentials of a stolen user account to log in to the hacked Azure VM via the reverse shell.
Mandiant’s assault showcases UNC3944’s comprehensive knowledge of the Azure system and how it may use its in-built capabilities to avoid detection. However, the risk is increased when this technological know-how is paired with advanced social engineering techniques that aid the attackers in SIM changing. At the same time, firms that use inadequate security methods, such as SMS-based multi-factor authentication, because they don’t comprehend cloud technology provide these skilled threat actors options.
