A threat actor identified as UNC3844 is reportedly using the serial console feature in Microsoft Azure virtual machines to hijack VMs and install third-party remote management software within clients’ cloud environments. The group is also using SIM swapping to gain access to the Azure tenant. UNC3844 is reportedly using the serial console to undermine traditional security detections employed within Azure, with a living-off-the-land (LotL) attack ultimately aimed at stealing data, which it can use for financial gain. Mandiant has observed UNC3844 using highly privileged Azure access to leverage extensions executed inside of a VM for reconnaissance purposes.
UNC3844 is a financially motivated threat group, which typically targets Microsoft environments for ultimate financial gain and was seen last December leveraging Microsoft-signed drivers for post-exploitation activities. Mandiant detailed in a recent report how the threat actor targets the VM and ultimately installs commercially available remote management and administration tools within the Azure cloud environment to maintain presence. Before pivoting to another system, the attacker sets up a reverse SSH tunnel to the command-and-control (C2) server and deploys a reverse tunnel configured such that port forwarding any inbound connection to remote machine port 12345 would be forwarded to the localhost port 3389. This allows UNC3844 a direct connection to the Azure VM via Remote Desktop, from which they can facilitate a password reset of an admin account.
Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, said that, by gaining control of an organization’s Azure environment, the threat actor can plant deepfakes, modify data, and even control IoT/OT assets that are often managed within the cloud. This poses a serious challenge to organizations, as attackers are increasingly targeting users where organizations have no visibility. UNC3844’s sophisticated evasion tactics and targeting go beyond the network and the endpoint directly to mobile devices and the cloud, noted Kern Smith, VP of Americas, Sales Engineering at mobile security firm Zimperium.
To thwart this type of threat, organizations must first prevent targeted smishing campaigns in a way that enables their workforce while not inhibiting productivity or impacting user privacy. Mandiant recommends restricting access to remote administration channels and disabling SMS as a multifactor authentication method wherever possible. Additionally, organizations should review user account permissions for overly permissive users and implement appropriate Conditional Access Authentication Strength policies. Mandiant has also directed organizations to the available authentication methods in Azure AD on the Microsoft website, recommending that least-privilege access to the serial console be configured according to Microsoft’s guidance.
In conclusion, the threat actor UNC3844 poses a serious threat to Microsoft Azure virtual machines. The group employs sophisticated techniques to gain access to the Azure tenant and install third-party remote management software within clients’ cloud environments. Organizations must implement appropriate security measures and strictly follow Microsoft’s guidance to avoid possible data exfiltration and financial losses.