Threat group UNC3944 abusing Azure Serial Console for takeover of VMs

Target Industry

The newly discovered adversary, threat group UNC3944, has been using SIM swapping attacks to compromise telecommunications and business process outsourcing (BPO) organisations since at least May 2022.

Overview

In the past, UNC3944 has used SIM swapping, phishing emails, and SMS messages, as well as a number of other strategies, like the use of maliciously signed drivers. Attacks are launched with the intention of stealing data and in some circumstances the threat group targets different users within the targeted organisation via personally identifiable information (PII). The group then install outside remote management tools in compromised systems by leveraging Microsoft Azure Serial Console.

In a Bring Your Own Vulnerable Driver (BYOVD) attack, UNC3944 uses the loader STONESTOP to install the malicious signed driver POORTRY, which is intended to disable security software-related processes and delete files. This attack approach was distinct in that it got through several of the standard detection techniques used in Azure and gave the attacker complete administrative access to the virtual machine (VM).

Impact

After gaining access to the Azure administrator’s account, the attackers used a variety of admin account privileges to export user data from the tenancy, collect configuration information for the Azure environment, and create or edit accounts.

Affected Products

Azure VM extensions such as:

• Azure Network Watcher
• Azure Windows Guest Agent
• VMSnapshot
• Azure Policy guest configuration
• CollectGuestLogs.

Containment, Mitigations & Remediations

• Restrict access to remote administration channels
• Disable SMS as a multifactor authentication method wherever possible

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

VMware has a considerable proportion of the virtualisation market share. VMware products have become a prime target for threat actors. Since virtual machines have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within the associated devices to extract the sensitive information contained within.

Threat Group

The UNC3944 (also known as Roasted 0ktapus and Scattered Spider) threat group is well-versed in using built-in tools to evade detection. It is financially motivated.

Mitre Methodologies

– T1451 – SIM Card Swap

– T1566 – Phishing

Further Information

– SIM Swapping and Abuse of the Microsoft Azure Serial Console

– UNC3944 Threat Group Uses Azure Built-in Tools to Abuse Azure VMs

– Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover