cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Hackers use Azure Serial Console for stealthy access to VMs

Hi All

 

Isn't about time Microsoft and Azure got serious about security within their cloud environments?

A financially motivated cyber-gang tracked by Mandiant as 'UNC3944' is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines.

 

https://www.bleepingcomputer.com/news/security/hackers-use-azure-serial-console-for-stealthy-access-...

 

Regards

 

Caute_Cautim

 

 

5 Replies
JKWiniger
Community Champion

When SIM swapping comes into play I don't think many services will stand up to an attack. I believe even suspicious login attempt are gotten around with the MFA verification. The real answer here is that companies should require their admins to use hardware keys. Taking the SIM out of the equation takes the risk out....

 

 

John-

Caute_cautim
Community Champion

@JKWiniger   The question then will they mandate such controls or update their procedures to ensure potential risk is mitigated or will laziness pervade?

 

Regards

 

Caute_Cautim

JKWiniger
Community Champion

@Caute_cautim I have found that I seem to live in my own little bubble of rainbows, lollipop, and updated policies!! I have no idea if I am the only one who gets frustrated over the fact that we tell people what they need to do but nope! I guess it's why I feel like security still sits at the kids table...

 

John-

denbesten
Community Champion


@Caute_cautim wrote:

SIM swapping attacks


Yes, we need to be disabling SMS/voice MFA, just as NIST advises, and not just for admin accounts.  Most every SAML offering I have encountered offers stronger alternatives, such as TOTP, push-notification, passkeys etc. and the option to disable SMS in our own SAML IdP instances. The part I do not understand is why the SAML-as-a-service providers have not yet made SMS disabled-by-default.

 

That said, we need to be careful to not vilify SMS too strongly because the true enemy is plain passwords, holding about 90% of the authentication "market share".  Here is an interesting article that makes that point.

 

Twitter provides an interesting use case.  Last month they discontinued SMS for 95% of their users. Prior to the change Twitter reported the following stats.  It will be interesting to see how they change in the next report (if it does not fall victim to the "chaos" occurring within Twitter).

 

 

2FA Usage

2.6%  - Percentage of active Twitter accounts with at least one 2FA method enabled on average over the reporting period.

 

Types of 2FA

SMS: 74.4%
Auth App: 28.9%
Security Key: 0.5%
Breakdown of 2FA methods by percentage of account that have each enabled (Note: accounts can enable multiple 2FA methods)

kfarhan
Newcomer I

Phishing has been a greater challenge for all organizations. The impact of admin credentials compromise would bring a huge impact on the organization. Hardware tokens would be one way to mitigate the risk and what is most important is awareness of the privileged users. They should be given Role-Based Training frequently so they better understand the risk of holding admin-level credentials and them being the favorite target of cybercriminals, therefore, they must remain vigilant and don't fall for social engineering attacks. 

 

Further, the organization should use a Privileged Access Management system with auto-rotation of admin credentials after every few hours to further mitigate the risk of compromised credentials.