Cloud Security Threat: Attackers Exfiltrate Data From Microsoft Azure Virtual Machines
Researchers at Mandiant Intelligence have reported that a financially motivated threat actor known as UNC3844 has been targeting Microsoft cloud environments and using the serial console feature in Azure virtual machines (VMs) as a means to access clients’ cloud environments. The aim of the attack is to install third-party remote management software that allows the attackers to steal data for financial gain. UNC3844 has been using its typical method of initial access – compromising admin credentials or accessing other privileged accounts via malicious smishing campaigns. Once established, the group gains full access to the Azure tenant, including exporting information about users, configuration and creation of accounts.
The Hijacking of Azure Virtual Machines
UNC3844 leverages in particular the serial console of Microsoft Azure to connect to a running OS via serial port, providing the attackers access to a cloud environment. By gaining control of an organization’s Azure environment, the threat actor can plant deepfakes, modify data and control IoT/OT assets that are managed through the cloud, according to Bud Broomhead, CEO at Viakoo.
Installation of Remote Management and Administration Tools
Mandiant Intelligence researchers have detailed how the group targets the virtual machine and installs commercially available remote management and administration tools within the Azure cloud environment to maintain presence. “The advantage of using these tools is that they’re legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms,” the researchers noted. Before pivoting to another system, the attacker sets up a reverse SSH tunnel to its command-and-control server and deploys a reverse tunnel that enables UNC3844 to connect to the Azure VM via Remote Desktop, from which they can facilitate a passreplace reset of an admin account.
Defending Against the Attack on Azure VMs
To prevent targeted smishing campaigns, Mandiant recommends first “restricting access to remote administration channels and disabling SMS as a multi-factor authentication method wherever possible.” They also advised organizations to review user account permissions for overly permissive users and implement appropriate Conditional Access Authentication Strength policies. Furthermore, restricting least-privilege access to the serial console according to Microsoft’s guidance is essential. Lastly, organizations should research the available authentication methods in Azure AD on the Microsoft website.
Conclusion
The use of Azure VMs as a target for attackers to exfiltrate data is not unique but underscores the importance of implementing proper security measures and adhering to best practices. It also serves as a warning to cloud service providers to consider how attackers navigate their platforms and add an extra layer of security to prevent unwanted access. The report also highlights the growing sophistication in the techniques employed by attackers to evade detection and underscores the need for risk assessment and proactive countermeasures to protect against these kinds of attacks.
<< photo by Ricky Esquivel >>
You might want to read !
- “Cloud Security at Risk: New Study Reveals Over 1/3 of Companies Reuse Passwords”
- How Palo Alto Networks’ Cloud Firewall for Azure is Revolutionizing Cloud Security
- “npm: A Repeating Target for Malware Attacks”
- “Revolutionizing Software Distribution: Inside the New SBOM Hub for Transparency and Security”
- The Dangerous Intersection of Economic Instability, Cybercrime Recruitment, and Insider Threats
- “Ransomware Fashionably Targets VMware ESXi Hypervisors, Michael Kors Shows”
- “Designer Ransomware: Linux and VMWare ESXi Systems Under Attack by New ‘MichaelKors’ Ransomware-as-a-Service”
- Spain’s Police Cracks Down Major Criminal Organization, Arrests Hackers.
