Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover

2023-05-17 11:52

A financially motivated cyber actor has been observed abusing Microsoft Azure Serial Console on virtual machines to install third-party remote management tools within compromised environments.

"This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM," the threat intelligence firm said.

Armed with the elevated access, the threat actor then moves to survey the target network by exploiting Azure VM extensions such as Azure Network Watcher, Azure Windows Guest Agent, VMSnapshot, and Azure Policy guest configuration.

"Once the attacker completes their reconnaissance, they employ the serial console functionality in order to gain an administrative command prompt inside of an Azure VM," Mandiant said, adding it observed UNC3944 making use of PowerShell to deploy legitimate remote administration tools.

"The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer," Mandiant said.

"Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers. While methods of initial access, lateral movement, and persistence vary from one attacker to another, one thing is clear: Attackers have their eyes on the cloud."

News URL

https://thehackernews.com/2023/05/threat-group-unc3944-abusing-azure.html

#azure #console #takeover #threat