property | value |
tags | offensive-tradecraft,pkm-pocket-pipeline,tactic-obfuscation |
url | |
original_word_count | 2170 |
Article Excerpt
In 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944.
Long Summary
This article provides an overview of the Serial Console feature in Azure, which allows users to access a virtual machine (VM) via a command line interface. It outlines the limitations of the feature, such as the need for a user account with administrative privileges, as well as the Azure RBAC roles and permissions required to access the Serial Console. It also explains the logging capabilities of the Serial Console, including the Azure Activity log, which stores activity for up to 90 days, and the Azure Monitor logs, which only log activity prior to the user connecting to the VM.
The article also outlines the requirements for using the Serial Console, such as the need for boot diagnostics to be enabled for the VM, a user account with password authentication, and the Virtual Machine Contributor role for both the VM and the boot diagnostics storage account. It also explains that the Serial Console is enabled by default on newer images deployed within Azure.
The article also provides an overview of the malicious use of the Serial Console by UNC3944, a financially motivated threat actor. This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM. Mandiant recommends that organizations restrict access to remote administration channels and disable SMS as a multifactor authentication method wherever possible.
Finally, the article provides a list of detection opportunities for local events and Azure, such as monitoring for virtual machine creation or modification, running commands on a virtual machine, and connecting to a virtual machine by serial console. It also acknowledges the efforts of many people across multiple regions within Mandiant and Microsoft DART for their insight and contributions to the article. In conclusion, this article provides a comprehensive overview of the Serial Console feature in Azure and the detection opportunities associated with it, as well as an overview of the malicious use of the Serial Console by UNC3944 and the steps organizations can take to protect their cloud environments.
Short Summary
š SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack
šš½ In 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944. šš½ Overview of the Serial Console feature in Azure šš½ Limitations of the feature, including RBAC roles and permissions required šš½ Logging capabilities of the Serial Console, including Azure Activity log and Azure Monitor logs šš½ Requirements for using the Serial Console, including boot diagnostics and Virtual Machine Contributor role šš½ Serial Console enabled by default on newer Azure images šš½ Malicious use of the Serial Console by UNC3944 and recommendations to protect cloud environments šš½ Restricting access to remote administration channels and disabling SMS as a multifactor authentication method šš½ Detection opportunities for local events and Azure, including virtual machine creation and modification šš½ Acknowledgment of insight and contributions from Mandiant and Microsoft DART šš½ Comprehensive overview of Serial Console feature and detection opportunities in Azure.
š source link: https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial
š summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/sim-swapping-and-abuse-of-the-microsoft-azure-serial-console-serial-is-part-of-a-well-balanced-atta
#AzureSerialConsole #RBACpermissions #BootDiagnostics #MaliciousUse #DetectionOpportunities