Wednesday, 17 May 2023 15:18

Azure Serial Console being Abused for VM Takeover

Written by

Reading time is around minutes.

Google owned Mandiant has released findings on a group known as Roasted 0ktapus, Scattered Spider and UNC3944 (sort of rolls off the tongue there). This group has been seen to abuse the Microsoft Azure Serial Console to push out their own remote management tools in previously compromised environments. The fact that this new technique is not available from outside of an existing environment is a good thing, but it does mean organizations should monitor access and improve controls to avoid account compromise.

Anyway, back to the topic at hand. UNC3944 (TK421 why aren’t you at your post?), popped up on the threat landscape in 2022 as they were identified using SIM swapping techniques to get into telecommunication and business process outsourcing companies. In addition to SIM swapping and abusing the serial console, the group has a loader dubber STONESTOP that can install a malicious driver which can terminate processes linked to security software as well as delete files.

It seems likely that the group leverages Smishing as part of their initial access (targeting admin users) which then allows them to perform the SIM swap. This swap allows them to impersonate phones for MFA access for access into an environment with elevated privileges. Once they are in the front door, they look around and identify their next victim. This is when they go after the Azure Serial Console for admin level access to the VM via a command prompt. This lets them install legitimate remote management tools that are tied to a console they control.

Cloud environments are great things that can provide cost savings for companies. The problem is that far too many organizations are not properly trained to protect these types of environments. They are used to protecting physical servers and end up leaving attack vectors open that a threat actor can put to malicious use. We know that groups are looking to ways into cloud environment for exactly this reason. Azure, AWS, GCP, all are potential security nightmares if not configured in the right way. This attack chain (Smishing, to SIM swap, to elevated access, to remote tool installation via the VM layer) shows that attackers know who to target and what to do once they are in.

We mentioned the need for increased privileged account awareness and protection already as this is still not being properly done in far too many organizations. Now we also should mention that just because things are in the cloud does not mean they are secure. The default settings in most cloud environments are pretty much wide open with very few options for security leveraged. This would be a good time to review those settings and close any gaps before this single novel threat group becomes multiples.

Read 513 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.