A financially motivated cybercriminal group known as UNC3944 has been tracked by Mandiant for their use of phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain unauthorized access to virtual machines.
Furthermore, the attackers exploit the Azure Serial Console and Azure Extensions to establish persistence and conduct surveillance within victim organizations using Microsoft’s cloud computing service. UNC3944, active since May 2022, aims to steal data from targeted entities and has previously been associated with the creation of malicious toolkits to disable security software.
In their attack methodology, UNC3944 initiates access to Azure administrator accounts by using stolen credentials obtained through SMS phishing. They then carry out SIM swapping by porting the victim’s phone number to their own device, receiving multi-factor reset codes without the victim’s knowledge. With administrator privileges, the threat actors gather information, modify accounts, and create new ones within the Azure environment.
To evade detection, they employ “Living off the Land” tactics by leveraging Azure Extensions, which appear innocuous and blend with regular activity.
UNC3944 breaches virtual machines (VMs) to steal data by utilizing the Azure Serial Console, which grants administrative console access and the ability to run commands on the VM.
By deploying PowerShell and commercially available remote administration tools, the attackers enhance persistence and maintain remote access without triggering alerts.
They establish a reverse SSH tunnel to their command-and-control (C2) server, creating a secure channel for ongoing access and bypassing network restrictions. The compromised user credentials are then used to log into the VM via a reverse shell, expanding control within the breached environment and exfiltrating data.
Mandiant’s report highlights UNC3944’s deep understanding of Azure and their ability to exploit built-in tools to evade detection. The group’s combination of technical expertise and social engineering skills for SIM swapping poses a significant risk.
Organizations must improve their understanding of cloud technologies and implement stronger security measures beyond SMS-based multi-factor authentication to mitigate such threats effectively.
