Advisories

1.0 Introduction

Recently, Microsoft has released updates addressing multiple vulnerabilities in Microsoft software.

2.0 Impact
A cyber threat actor can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Multiple Microsoft Windows and Software

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s November 2023 Security Update Guide and apply the necessary updates.

Kindly refer to the URL for more information: https://msrc.microsoft.com/update-guide/releaseNote/2023-Nov

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.cisa.gov/news-events/alerts/2023/11/14/microsoft-releases-november-2023-security-updates
• https://msrc.microsoft.com/update-guide/releaseNote/2023-Nov

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
A cyber threat actor can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Multiple Microsoft software/products and Windows Operating Systems

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s October 2023 Security Update Guide and apply the necessary updates. Kindly refer to the following link:
https://msrc.microsoft.com/update-guide/releaseNote/2023-oct

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• October 2023 Security Updates - Release Notes - Security Update Guide - Microsoft
• Microsoft Releases October 2023 Security Updates | CISA

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
A cyber threat actor can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
This release consists of the following 59 Microsoft CVEs:

We are republishing 7 non-Microsoft CVEs:

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s September 2023 Security Update Guide and apply the necessary updates.

Kindly refer to the following link: https://msrc.microsoft.com/update-guide/releaseNote/2023-Sep

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.cisa.gov/news-events/alerts/2023/09/12/microsoft-releases-september-2023-updates
• https://msrc.microsoft.com/update-guide/releaseNote/2023-Sep

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s August 2023 Security Update Guide and apply the necessary updates.

Kindly refer to the following URL for more information: https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug
• https://www.cisa.gov/news-events/alerts/2023/08/08/microsoft-releases-august-2023-security-updates

1.0 Introduction

A cyberespionage group known as APT29 or Midnight Blizzard has been launching phishing attacks against organizations, by using fake security messages via Microsoft Teams in an attempt to defeat Microsoft’s two-factor authentication (2FA) push notification method that relies on number matching. Based on Microsoft’s report, this campaign has affected fewer than 40 unique global organizations, likely indicate specific espionage objectives by this group directed at the government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.

Midnight Blizzard is Microsoft’s newly designated name for APT29, also known in the security industry as Cozy Bear or NOBELIUM, was behind the 2020 SolarWinds software supply chain attack that impacted thousands of organizations worldwide. This group was also responsible for attacks against many government institutions, diplomatic missions and military industrial base companies worldwide.

2.0 Impact
Post-compromise activity by the threat actor, typically involves information theft from the compromised Microsoft 365 tenant.

3.0 Techniques, Tactics and Procedures (TTPs)
In this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.

After the threat actor attempted to authenticate to an account, where this form of MFA is required, the threat actor is then presented with a code that the targeted user would need to enter in their authenticator app on their smartphones. The targeted user receive the prompt for code entry on their device or smartphone. The threat actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device. The targeted users believe the message is unsuspiciously from Microsoft and enters the code given by the threat actor onto their devices or smartphones.

Step 1: Teams request to chat

The targeted user receive a Microsoft Teams message request from an external user masquerading as a Microsoft technical support or security team.

Figure 1: Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account

Step 2: Request authentication app action

If the targeted user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on targeted user’s mobile device.

Figure 2: A Microsoft Teams prompt with a code and instructions.

Step 3: Successful MFA authentication

If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.

The threat actor then proceeds to conduct a post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organisation as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.

4.0 Indicators of Compromise

Table 1: Indicators of Compromise (Malicious Domain names used in the attack)

Figure 3: Message sent by the threat actor

5.0 Recommendations
Microsoft recommends the following mitigations to reduce the risk of this threat:

• Pilot and start deploying phishing-resistant authentication methods for users.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
• Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
• Understand and select the best access settings for external collaboration for your organization.
• Allow only known devices that adhere to Microsoft’s recommended security baselines.
• Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
• Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and , and never share their account information or authorize sign-in requests over chat.
• Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
• Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.
• Always remember never to simply share credentials and personal information over the Internet.
• Report to relevant authorities or CERTs on detecting suspicious activities on the Internet or on your devices.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

6.0    References

• https://www.microsoft.com/en-us/security/blog/tag/midnight-blizzard-nobelium/
• https://www.csoonline.com/article/648626/russian-cyberspies-defeat-microsoft-number-matching-2fa-policy-with-fake-teams-messages.html
• https://aka.ms/threatintelblog

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software. The most serious of them is CVE-2023-36884, a remote code execution (RCE) bug in Office and Windows HTML, for which Microsoft did not have a patch for in the previous month's update. The company identified a threat group it is tracking, Storm-0978, as exploiting the flaw in a phishing campaign targeting government and defense organizations in North America and Europe.

Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations. Storm-0978 operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022. The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system. Microsoft's July security update contains fixes for a whopping 130 unique vulnerabilities, five of which attackers are already actively exploiting in the wild.

Storm-0978 has conducted phishing operations with lures related to Ukrainian political affairs and targeting military and government bodies primarily in Europe. Based on the post-compromise activity identified by Microsoft, Storm-0978 distributes backdoors to target organizations and may steal credentials to be used in later targeted operations.

The actor’s ransomware activity, in contrast, has been largely opportunistic in nature and entirely separate from espionage-focused targets. Identified attacks have impacted the telecommunications and finance industries.

3.0 Affected Products

4.0 Recommendations
Microsoft recommends the following mitigations to reduce the impact of activity associated with Storm-0978’s operations.

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Use Microsoft Defender for Office 365?for enhanced phishing protection and coverage against new threats and polymorphic variants.?Defender for Office 365 customers should ensure that Safe Attachments and Safe Links protection?is enabled for users with ?Zero-hour Auto Purge (ZAP)?to remove emails when a URL gets weaponized post-delivery.
• Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:
  • Block process creations originating from PsExec and WMI commands – Some organizations might experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI, including Impacket’s WMIexec.
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Use advanced protection against ransomware
  • Block all Office applications from creating child processes

CVE-2023-36884 specific recommendations

• Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
• In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office.
• In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
• Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. 
  • No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached.
  • Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to “0”.

MyCERT encourages users and administrators to review Microsoft’s July 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Kindly refer to the following URLs:

• https://msrc.microsoft.com/update-guide/releaseNote/2023-Jul
• https://msrc.microsoft.com/update-guide/deployments

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://msrc.microsoft.com/update-guide/releaseNote/2023-Jul
• https://msrc.microsoft.com/update-guide/deployments
• Cybersecurity Alerts & Advisories | CISA
• Microsoft Discloses 5 Zero-Days in Voluminous July Security Update (darkreading.com)

1.0 Introduction

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory (CSA), Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, to provide guidance to agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments. 

2.0 Impact
In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment. The agency reported the activity to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data.

3.0 Technical Details
In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs. The MailItemsAccessed event is generated when licensed users access items in Exchange Online mailboxes using any connectivity protocol from any client. The FCEB agency deemed this activity suspicious because the observed AppId did not normally access mailbox items in their environment. The agency reported the activity to Microsoft and CISA.

Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts. The APT actors used a Microsoft account (MSA) consumer key to forge tokens to impersonate consumer and enterprise users. Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse. Microsoft determined that this activity was part of a campaign targeting multiple organizations (all of which have been notified by Microsoft). [1]

The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity.

CISA and FBI are not aware of other audit logs or events that would have detected this activity. Critical infrastructure organizations are strongly urged to implement the logging recommendations in this advisory to enhance their cybersecurity posture and position themselves to detect similar malicious activity.

4.0 Recommendations
MyCERT strongly encourage critical infrastructure organizations to ensure audit logging is enabled.

In addition to enabling audit logging, MyCERT strongly encourage organizations to:

• Enable Purview Audit (Premium) logging. This logging requires licensing at the G5/E5 level. See Microsoft’s guidance on Assigning Microsoft 365 Licenses to Users for additional information.
• Ensure logs are searchable by operators. The relevant logs need to be accessible to operational teams in a platform (e.g., security operations center [SOC] tooling) that enables hunting for this activity and distinguishing it from expected behavior within the environment.
• Enable Microsoft 365 Unified Audit Logging (UAL). UAL should be enabled by default, but organizations are encouraged to validate these settings.
• Understand your organization’s cloud baseline. Organizations are encouraged to look for outliers and become familiar with baseline patterns to better understand abnormal versus normal traffic.

All mitigation actions for this activity are the responsibility of Microsoft due to the cloud-based infrastructure affected; however, MyCERT recommend that critical infrastructure organizations implement the following to harden their cloud environments. Although, these mitigations will not prevent this or related activity where actors leverage compromised consumer keys, they will reduce the impact of less sophisticated malicious activity targeting cloud environments.

• Separate administrator accounts from user accounts according to the National Institute of Standards and Technology’s (NIST’s) guidance, AC-5: Separation of Duties. Only allow designated administrator accounts to be used for administration purposes. If an individual user requires administrative rights over their workstation, use a separate account without administrative access to other hosts.
• Collect and store access and security logs for secure cloud access (SCA) solutions, endpoint solutions, cloud applications/platforms and security services, such as firewalls, data loss prevention systems, and intrusion detection systems.
• Use a telemetry hosting solution (e.g., SIEM solution) that aggregates logs and telemetry data to facilitate internal organization monitoring, auditing, alerting, and threat detection activities.
• Review contractual relationships with all Cloud Service Providers (CSPs) and ensure contracts include:
  • Security controls the customer deems appropriate.
  • Appropriate monitoring and logging of provider-managed customer systems.
  • Appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
  • Notification of confirmed or suspected activity.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

Kindly refer to the following URL for more information: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
 

• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a
• https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/
• https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/
• https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Multiple Microsoft software and products

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s June 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Kindly refer to the following URLs:

• https://msrc.microsoft.com/update-guide/releaseNote/2023-Jun
• https://msrc.microsoft.com/update-guide/deployments

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.cisa.gov/news-events/alerts/2023/06/13/microsoft-releases-june-2023-security-updates
• https://msrc.microsoft.com/update-guide/releaseNote/2023-Jun
• https://msrc.microsoft.com/update-guide/deployments

1.0 Introduction

Recently, a threat actor group tagged as “UNC3944” by cybersecurity firm Mandiant, which also known as Roasted 0ktapus and Scattered Spider has been reported to hijack by installing third-party remote management software in Microsoft Azure Virtual Machines (VMs) Serial Console targeting customer environments. In addition to avoiding all of the standard detection techniques used by Azure, this attack method also gave the attacker full administrative access to the VM. Unfortunately, cloud resources are frequently misunderstood, resulting in configuration errors that might expose these assets to attack. 

UNC3944 which also known as Roasted 0ktapus and Scattered Spider is a financially motivated threat actor which has been active since at least May 2022. Their tactics often include SIM swapping attacks followed by the establishment of persistence using compromised accounts. Using Microsoft’s cloud computing infrastructure, their campaign aims to steal data from victimized organizations. The STONESTOP (loader) and POORTRY (kernel-mode driver) toolkit for terminating security applications were formerly credited to UNC3944. The threat actors utilized stolen Microsoft hardware developer accounts to sign their kernel drivers.

2.0 Impact

• Attacker gain full access to the Azure VM.
• Export information about the users in the tenant.
• Gather information about the Azure environment configuration and the various VMs.
• Creating or modifying accounts.

3.0 Affected System and Devices

• Microsoft Azure Cloud VM environments

4.0 Technical Details

4.1 SIM Swapping Azure Admins

Initial access to the Azure administrator’s account is made possible by leveraging stolen credentials obtained through SMS phishing, a strategy used frequently by UNC3944. In order to induce help desk representatives to send a multi-factor reset code by SMS to the target’s phone number, the attackers next pretend to be the administrator when speaking with them.

However, the attacker had previously SIM-swapped the administrator’s number and ported it to their device, so they obtained the 2FA token without the victim being aware of the compromised. Mandiant has not yet discovered how the hackers carry out the SIM-swapping portion of their operation. However, prior instances have demonstrated that facilitating illegitimate number ports only requires knowing the target’s phone number and collaborating with dishonest telecom staff.

As soon as the attackers get access to the Azure environment of the targeted company, they use their administrator rights to gather data, make necessary changes to already-existing Azure accounts, or even create new ones.

Initial access diagram (Mandiant)
 

4.2 Living-off-the-Land (LotL) Tactic

In the subsequent phase of the attack, UNC3944 employs Azure Extensions to perform surveillance, collect data, disguise their malicious activities apparently innocent everyday task, and blend in with regular activity.

Azure Extensions are “add-on” features and services that may be included into an Azure Virtual Machine (VM) to enhance functionality, automate processes, etc. These extensions are stealthy and less suspicious because they are executed inside the VM and are frequently utilized for legal purpose.

The threat actor utilized “CollectGuestLogs”, one of the built-in Azure diagnostic extensions, to acquire log files from the compromised endpoint in this instance. Moreover, Mandiant has discovered evidence of the threat actor trying to misuse the following extra extensions:

Extensions the threat actor attempted to abuse (Mandiant)

4.3 Breaching VMs to Steal Data

After that, UNC3944 accesses the administrative console of VMs using Azure Serial Console and issues commands via a command prompt over the serial port. According to Mandiant’s assessment, the method of attack was unique in that it avoided many of the traditional detection methods employed with Azure and gave the attacker full administrative access to the VM.

Mandiant found that the first command the intruders run is “whoami” in order to identify the user who is presently signed in and obtain information necessary for more advanced exploitation. 

Using Azure Serial Console to gain access to a virtual machine (Mandiant)

The threat actors then install many commercially accessible remote administrator tools not mentioned in the study while enhancing their persistence on the VM via PowerShell.

Several commercially available remote administration tools are frequently deployed by the attacker using PowerShell in order to maintain presence on the VM, according to a Mandiant analysis.

UNC3944’s next move is to build a reverse SSH tunnel to their C2 server in order to maintain covert and ongoing access via a secure channel and get beyond network limitations and security measures.

To enable a direct access to an Azure VM using Remote Desktop, the attacker configures the reverse tunnel with port forwarding. For instance, any incoming connection to the distant machine’s port 12345 would be routed to the local host’s distant Desktop Protocol Service Port or port 3389.

After gaining access to the affected Azure VM via the reverse shell with the help of a compromised user account, the attackers only then move to take over more of the compromised environment while stealing data.

5.0 Recommendations
MyCERT recommends users and administrators to follow the security best practices as recommended by Microsoft for Azure Virtual Environments as follows:

• Enable Microsoft Defender for Cloud.
• Improve your Secure Score.
• Require multi-factor authentication.
• Enable Conditional Access.
• Collect audit logs.
• Use RemoteApps.
• Monitor usage with Azure Monitor.
• Encrypt your VM.

You may refer to the full guide here; https://learn.microsoft.com/en-us/azure/virtual-machines/security-recommendations

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

6.0    References

• https://www.darkreading.com/endpoint/mechanics-of-a-crypto-heist-how-sim-swappers-can-steal-cryptocurrency
• https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial
• https://thehackernews.com/2023/05/threat-group-unc3944-abusing-azure.html
• https://cyware.com/news/unc3944-threat-group-uses-azure-built-in-tools-to-abuse-azure-vms-d7d3d66f
• https://www.bleepingcomputer.com/news/security/hackers-use-azure-serial-console-for-stealthy-access-to-vms/
• https://learn.microsoft.com/en-us/azure/virtual-machines/security-recommendations

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software. 

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Windows, 10, 11 and Windows Server Operating systems. Users of Windows 7, Windows Server 2008 R2, or Windows Server 2008 need to purchase the Extended Security Update to continue receiving security updates.

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s May 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Kindly refer to the URLs below:

• https://msrc.microsoft.com/update-guide/releaseNote/2023-May
• https://msrc.microsoft.com/update-guide/deployments

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.cisa.gov/news-events/alerts/2023/05/09/microsoft-releases-may-2023-security-updates
• https://msrc.microsoft.com/update-guide/releaseNote/2023-May
• https://msrc.microsoft.com/update-guide/deployments