UNC3944, a financially motivated threat group, has been identified as using phishing and SIM-swapping techniques to gain control of Microsoft Azure admin accounts. Using these methods, they can exploit Azure’s Serial Console and Azure Extensions to covertly monitor and install remote management software. According to a report by Mandiant, the group has been active since May of 2022, with their primary objective being to extract sensitive data from targeted organizations through Microsoft’s cloud computing service.
The group’s notoriety is well established, having previously been linked to the development of toolkits such as the STONESTOP loader and POORTRY kernel-mode driver. These tools aimed to disable security software and posed a significant threat to computer systems. The group has also used stolen Microsoft hardware developer accounts to sign their kernel drivers, allowing them to operate with greater anonymity.
UNC3944 relies primarily on compromised credentials of administrators or other privileged accounts to gain initial access. They use SMS phishing and SIM-swapping to impersonate privileged users and deceive help desk agents into providing multi-factor reset codes. Once they have gained access, the group uses Azure Extensions for covert surveillance and information gathering, effectively blending in with legitimate daily activities.
Azure Extensions are additional features and services that enhance the functionality and automation of Azure VMs, providing an array of additional capabilities and task-automating options when integrated. These extensions are executed within the virtual machine and seem legitimate, making them appear less suspicious. UNC3944 exploited Azure diagnostic extensions, specifically the “CollectGuestLogs” function, to gather log files from the compromised endpoint.
The group uses Azure Serial Console for direct administrative console access to virtual machines. This allows them to execute commands via command prompt, gaining important data for advancing their exploitation tactics. UNC3944 deploys various remote administrator tools to bolster their presence on the virtual machine, and they plan to establish a covert and continuous connection to their C2 server through a reverse SSH tunnel, enabling them to evade security measures.
Once they gain unauthorized access, the attacker creates a new process, triggering the execution of cmd.exe, revealing the username of the currently active user. The rise of Living off the Land attacks, leveraging built-in tools, highlights the expanding threat landscape beyond the operating system layer. UNC3944’s utilization of the serial console demonstrates attackers’ innovative use of tools to avoid detection.
Mandiant advises organizations to limit remote administration access and refrain from using SMS as a multifactor authentication option whenever feasible to enhance security measures. This recommendation aims to reduce the risk of unauthorized access, limiting exposure to potential security breaches and enhancing authentication protocols.
UNC3944’s use of Azure Extensions and the Serial Console highlights the importance of continued vigilance in detecting new methods used by threat actors. Organizations must implement comprehensive security measures to prevent unauthorized access, including limiting remote administration access and using secure multifactor authentication methods. By doing so, organizations can better protect themselves against advanced persistent threats.