In 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944.
This article provides an overview of the Serial Console feature in Azure, which allows users to access a virtual machine (VM) via a command line interface. It outlines the limitations of the feature, such as the need for a user account with administrative privileges, as well as the Azure RBAC roles and permissions required to access the Serial Console. It also explains the logging capabilities of the Serial Console, including the Azure Activity log, which stores activity for up to 90 days, and the Azure Monitor logs, which only log activity prior to the user connecting to the VM.
The article also outlines the requirements for using the Serial Console, such as the need for boot diagnostics to be enabled for the VM, a user account with password authentication, and the Virtual Machine Contributor role for both the VM and the boot diagnostics storage account. It also explains that the Serial Console is enabled by default on newer images deployed within Azure.
The article also provides an overview of the malicious use of the Serial Console by UNC3944, a financially motivated threat actor. This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM. Mandiant recommends that organizations restrict access to remote administration channels and disable SMS as a multifactor authentication method wherever possible.
Finally, the article provides a list of detection opportunities for local events and Azure, such as monitoring for virtual machine creation or modification, running commands on a virtual machine, and connecting to a virtual machine by serial console. It also acknowledges the efforts of many people across multiple regions within Mandiant and Microsoft DART for their insight and contributions to the article. In conclusion, this article provides a comprehensive overview of the Serial Console feature in Azure and the detection opportunities associated with it, as well as an overview of the malicious use of the Serial Console by UNC3944 and the steps organizations can take to protect their cloud environments.
📓 SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack
👉🏽 In 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944. 👉🏽 Overview of the Serial Console feature in Azure 👉🏽 Limitations of the feature, including RBAC roles and permissions required 👉🏽 Logging capabilities of the Serial Console, including Azure Activity log and Azure Monitor logs 👉🏽 Requirements for using the Serial Console, including boot diagnostics and Virtual Machine Contributor role 👉🏽 Serial Console enabled by default on newer Azure images 👉🏽 Malicious use of the Serial Console by UNC3944 and recommendations to protect cloud environments 👉🏽 Restricting access to remote administration channels and disabling SMS as a multifactor authentication method 👉🏽 Detection opportunities for local events and Azure, including virtual machine creation and modification 👉🏽 Acknowledgment of insight and contributions from Mandiant and Microsoft DART 👉🏽 Comprehensive overview of Serial Console feature and detection opportunities in Azure.
#AzureSerialConsole #RBACpermissions #BootDiagnostics #MaliciousUse #DetectionOpportunities