Security News > 2023 > May > Hackers use Azure Serial Console for stealthy access to VMs
A financially motivated cybergang tracked by Mandiant as 'UNC3944' is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines.
From there, the attackers abuse the Azure Serial Console to install remote management software for persistence and abuse Azure Extensions for stealthy surveillance.
Once the attackers establish their foothold in the targeted organization's Azure environment, they use their administrator privileges to gather information, modify existing Azure accounts as needed, or create new ones.
Azure Extensions are "Add-on" features and services that can be integrated into an Azure Virtual Machine to help expand capabilities, automate tasks, etc.
Next, UNC3944 uses Azure Serial Console to gain administrative console access to VMs and run commands on a command prompt over the serial port.
More information on how to analyze logs for Azure Serial Console can be found in the reports appendix.