Full Report
In 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944. Mandiant’s investigation revealed that the attacker employed malicious use of the Serial Console on Azure Virtual Machines (VM) to install third-party remote managem...
Analysis Summary
# Incident Report: Azure VM Serial Console Abuse by UNC3944
## Executive Summary
In 2022, Mandiant identified a sophisticated threat actor, UNC3944, targeting Microsoft Azure environments. The primary vector of compromise leveraged compromised privileged credentials, often obtained through SMS phishing and SIM swapping, granting access to Azure administrator accounts. The attack progressed to the malicious use of the Azure Serial Console on Virtual Machines (VMs) to install unauthorized third-party remote management software, escalating the level of persistence and control within the cloud infrastructure.
## Incident Details
- Discovery Date: 2022 (Identified by Mandiant investigation)
- Incident Date: 2022
- Affected Organization: Clients utilizing Microsoft Azure (Specific organizations undisclosed)
- Sector: Technology/Cloud Services (Implied, based on environment targeted)
- Geography: Global (Based on Azure deployment)
## Timeline of Events
### Initial Access
- Date/Time: Sometime in 2022
- Vector: Compromised Credentials via Social Engineering/SIM Swapping
- Details: Attackers used SMS phishing against privileged users, executed SIM swaps, and then impersonated the users to trick help desk agents into resetting MFA codes via SMS. This led to the compromise of Azure administrator accounts with global privileges.
### Lateral Movement
- Date/Time: Post-Initial Access
- Vector: Malicious Use of Azure Serial Console and Azure Extensions
- Details: Once in the Azure tenant via stolen admin credentials, the attacker accessed Azure VMs and used the **Serial Console** feature to gain console access. They then installed **third-party remote management software** for persistent access and utilized **Azure Extensions** for reconnaissance.
### Data Exfiltration/Impact
- Date/Time: Post-Installation of Remote Management Tools
- Vector: Remote Management Software & PowerShell
- Details: The specific data targeted is not detailed, but the installation of remote management software strongly implies establishing long-term command and control, likely preparatory to data exfiltration or further operational disruption. PowerShell was observed being leveraged once logged into a VM via the serial console.
### Detection & Response
- Date/Time: Post-Incident Investigation
- Vector: Mandiant Investigation
- Details: Mandiant identified the activity and attributed it to UNC3944. Response details are not explicitly listed in the provided context beyond the analysis and attribution.
## Attack Methodology
- Initial Access: Compromised privileged credentials achieved via SMS phishing and subsequent SIM swapping/MFA reset abuse.
- Persistence: Installation of third-party remote management software delivered via the Azure Serial Console.
- Privilege Escalation: Not explicitly detailed, but initial access was to accounts with **global privileges** on the Azure tenant, effectively granting immediate high-level access.
- Defense Evasion: Not specified, but the use of the native Azure Serial Console provides a high degree of operational stealth relative to standard network-based intrusions.
- Credential Access: SMS Phishing and SIM Swapping techniques were used to bypass MFA and gain control of user accounts.
- Discovery: Use of **Azure Extensions** for reconnaissance within the compromised Azure tenant.
- Lateral Movement: Gaining access to VMs via the Serial Console allowed direct, low-level operating system access.
- Collection: PowerShell execution observed following Serial Console access.
- Exfiltration: Not specified in the context.
- Impact: Establishment of deeply embedded remote access capabilities within cloud infrastructure.
## Impact Assessment
- Financial: Unknown
- Data Breach: Unknown (Potential exposure of sensitive organizational data due to global tenant access)
- Operational: Potential for long-term disruption and unauthorized configuration changes via established persistence mechanisms.
- Reputational: Minimal public impact noted as this was an internal Mandiant investigation finding.
## Indicators of Compromise
- Network indicators: Not provided (naturally defanged).
- File indicators: Installation of third-party remote management software (specific hashes/names not provided).
- Behavioral indicators: Malicious use of the Azure Serial Console feature; Abuse of Azure Extensions for discovery; PowerShell execution following Serial Console login.
## Response Actions
- Containment measures: Not specified, but would involve revoking compromised global admin credentials and terminating unauthorized remote sessions/processes.
- Eradication steps: Removal of the installed third-party remote management software from affected VMs.
- Recovery actions: Not specified, but would include re-securing administrative configurations and potentially rotating all service keys/secrets associated with the compromised tenant.
## Lessons Learned
- Cloud-native features like the Azure Serial Console, while crucial for legitimate system administration, can be heavily abused if the underlying administrator credentials are compromised.
- Multi-factor authentication resets via SMS are a critical vulnerability point that social engineering and SIM swapping can effectively exploit to bypass cloud security controls.
## Recommendations
- Implement hardware/FIDO2 security keys for Multi-Factor Authentication (MFA) for all highly privileged cloud administrator roles to mitigate SIM swapping risk.
- Implement strict Conditional Access policies that monitor and potentially block or require *step-up* authentication when accessing sensitive management interfaces like the Azure Serial Console, especially if originating from unusual geographic locations or automated processes.
- Review and audit the deployment of any third-party remote management software within the Azure environment to ensure it was authorized via standard deployment mechanisms (e.g., Azure Policy, VM Extensions) rather than manual installation via console access.