This post was originally published on IT Pro Today
This article originally appeared in Dark Reading.
A threat actor known for targeting Microsoft cloud environments now is employing the serial console feature on Azure virtual machines (VMs) to hijack the VM to install third-party remote management software within clients’ cloud environments.
Tracked as UNC3844 by researchers at Mandiant Intelligence, the threat group is leveraging this attack method to skirt traditional security detections employed within Azure with a living-off-the-land (LotL) attack ultimately aimed at stealing data that it can use for financial gain, Mandiant researchers revealed in a blog post this week.
Using one of its typical method of initial access — which involves compromising admin credentials or accessing other privileged accounts via malicious smishing campaigns — UNC3844 establishes persistence using SIM swapping and gains full access to the Azure tenant, the researchers said.
From there, the attacker has a number of options for malicious activity, including the exportation of information about the users in the tenant, collection of information about the Azure environment configuration and the various VMs, and creation or modification of accounts.
“Mandiant has observed this attacker using their access to a
— Read the rest of this post, which was originally published on IT Pro Today.