UNC3944 targets Microsoft Azure admin accounts

June 1, 2023 - TuxCare PR Team

UNC3944 has been using advanced phishing and SIM swapping methods to access Microsoft Azure administrator accounts and infiltrate virtual machines (VMs), gain control of compromised accounts, and maintain a long-term presence in targeted businesses since May 2022, according to a Mandiant report.

UNC3944 exploits its access to virtual machines by installing third-party remote management applications in client settings using the Serial Console on Azure Virtual Machines. Mandiant discovered the threat actor’s dependence on email and SMS phishing assaults, as well as attempts to phish additional people inside the firm once they had gotten access to employee databases. UNC3944 has also been seen changing and stealing data from target organizations, according to Mandiant.

UNC3944 generally targets compromised administrator or privileged account credentials to gain initial access. One of their usual strategies is “smishing” (SMS phishing) privileged users, followed by SIM switching and, finally, impersonating the users to trick helpdesk agents into sending a multi-factor reset code through SMS.

Due to the global capabilities offered to administrator accounts, once UNC3944 successfully gains access to an Azure administrator’s account, it acquires complete control over the Azure tenancy. This enables the threat actor to export user information, collect data on Azure environment settings and VMs, and establish or edit tenant accounts.

UNC3944 was also discovered utilizing a highly privileged Azure account to abuse Azure Extensions for reconnaissance purposes, according to the researchers. Azure Extensions are tools and services that extend the capabilities of Azure Virtual Machines and automate processes. The threat actor uses the “CollectGuestLogs” extension to collect log files for offline analysis and archiving.

Following surveillance, the attacker employs the Serial Console feature to get administrator command prompt access within an Azure virtual machine. UNC3944 ensures persistence on the infected VM by identifying the logged-in user’s name. To sustain access, the threat actor uses commercially accessible remote administration tools, such as PowerShell, and takes advantage of their valid signatures, which are not detected by many endpoint protection products.

UNC3944 also generates a reverse SSH tunnel to its command and control server, establishing a secure path via which network constraints and security regulations may be circumvented. This reverse tunnel with port forwarding allows for a direct access to Azure Virtual Machines through Remote Desktop.

Mandiant concludes that after setting up the SSH tunnel, the attacker connects to it using their current account or by compromising additional user accounts, leveraging them to establish a connection to the compromised system via Remote Desktop.

The sources for this piece include an article in CSOONLINE.

Summary