UNC3944 Threat Group Uses Azure Built-in Tools to Abuse Azure VMs

Detail of the campaign

• In its latest campaign, the threat actor is abusing the Azure Serial Console to install remote management software for persistence and Azure Extensions for stealthy surveillance.
• The attackers attempt to steal data from victim organizations and use Microsoft's cloud computing service for malicious activities.

Gaining initial access

• The threat actor gains initial access to an Azure administrator's account by using stolen credentials obtained through SMS phishing.
• They, subsequently, contact the organization's help desk agents and impersonate an administrator, convincing them to send a multi-factor reset code through SMS to a phone number controlled by the attacker.
• Once they gain access to the organization's Azure environment, they use their admin privileges to collect information, modify existing Azure accounts as required, or create new ones.

Use of Living-off-the-Land tactic

• In the next stage of the attack, UNC3944 uses Azure Extensions to perform surveillance and collect information. To avoid detection, the attackers hide their malicious operations as innocuous daily tasks and blend in with regular traffic.
• The attackers abuse the built-in Azure diagnostic extensions, such as CollectGuestLogs, to gather log files from the breached endpoint. 
• They also abuse other Azure extensions, including VMSnapshot, Guest Configuration, Azure Network Watcher, and Guest Agent Automatic Log Collection.
• Azure Serial Console is also exploited to obtain admin console access to the VMs and execute commands over the serial port.

Conclusion