"Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover"

Mandiant has observed a financially-motivated cyber actor abusing Microsoft Azure Serial Console on Virtual Machines (VMs) in order to install third-party remote management tools in compromised environments. The activity was attributed to a threat group tracked by Mandiant as UNC3944, also known as Roasted 0ktapus and Scattered Spider. According to Mandiant researchers, this attack method is unique because it circumvented many of the traditional Azure detection methods and granted the attacker full administrative access to the VM. Since at least May 2022, the adversary, which first emerged late last year, has been known to use SIM-swapping attacks to breach telecommunications and Business Process Outsourcing (BPO) companies. Mandiant later discovered UNC3944 using a loader named STONESTOP to install a malicious signed driver called POORTRY that is designed to terminate processes associated with security software and delete files as part of a Bring Your Own Vulnerable Driver (BYOVD) attack. This article continues to discuss the abuse of Microsoft Azure Serial Console on VMs by the threat group UNC3944. 

THN reports "Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover"