HQ/EMEAFind out how we can help your business
UNC3944, a financially motivated cybercriminal group, is currently conducting a phishing and SIM-swapping campaign to target the MS Azure cloud services. The campaign’s objective is to take over admin accounts of MS Azure and acquire access to virtual machines.
Based on reports, the group is an alleged affiliate of the STONESTOP and POORTRY cybercriminal operation. The attacks leveraged Microsoft-certified drivers to infect targets. However, the threat actors could now abuse the Azure Serial code to install remote management software for establishing persistence in their latest campaign. In addition, they have adopted Azure Extensions to have an obfuscated surveillance capability.
The actors used these abilities to potentially steal information from infected organisations and utilise MS’ cloud computing service for malicious campaigns.
UNC3944 could only gain initial access through a successful SMS phishing attack.
According to investigations, the UNC3944 group could acquire initial access to an Azure admin account by leveraging stolen credentials from an initial Phishing campaign.
The actors contact a targeted organisation’s help desk agents and pose as an admin that could deceive the target into providing an MFA code through SMS to an attacker-controlled phone number.
The authentication code could allow the actors to access a targeted firm’s Azure environment and use escalated privileged to gather data, alter Azure accounts, or generate new ones.
Subsequently, UNC3944 utilises Azure Extensions to run spyware-like capabilities and harvest information. The attackers could also hide by impersonating daily tasks to bypass security detections.
Furthermore, the threat group leveraged the default Azure diagnostic extension to collect log files from the breached endpoint. They could also abuse the Azure extensions, such as VMSnapshot, Azure Network Watcher, Guest Configuration, and Guest Agent Automatic Log Collection.
Finally, UNC3944 exploits the Azure Serial Console to acquire admin console access to the VMs and run commands over the serial port.
The threat group showed signs that they are a sophisticated entity that could utilise built-in tools to bypass security detections.
Cybersecurity experts recommend that organisations restrict access to remote admin channels on all Azure services to remain unaffected. Lastly, firms should use real-time authenticator app-based authentication tools instead of adopting SMS as an MFA.
