In a recent discovery, cybersecurity researchers from Mandiant have revealed the activities of a hacking collective known as UNC3944, specializing in exploiting the Microsoft Azure environment through phishing and SIM-swapping techniques. The group, which has been active since at least May 2022, possesses extensive knowledge of Azure and employs sophisticated tactics to infiltrate virtual machines and extract sensitive data.
UNC3944 initiates its attack by conducting SMS phishing campaigns to obtain the passwords of Microsoft Azure admin accounts. Subsequently, they employ SIM-swapping methods to gain control over the target’s mobile device, allowing them to intercept multi-factor authentication (MFA) codes sent via SMS. While the exact approach used for SIM-swapping remains unknown, Mandiant suggests that collaboration with unscrupulous telecom employees and possession of the target’s phone number are sufficient for illicit number ports.
Once armed with the admin credentials and MFA codes, the group assumes the identity of the administrator and contacts help desk agents to request the MFA code. With access granted, UNC3944 proceeds to infiltrate the Azure environment, gathering information, modifying existing accounts, or creating new ones depending on their objectives. They leverage Azure Extensions add-ons to conceal their presence while collecting as much data as possible and exploit Azure Serial Console to gain administrative access to virtual machines and execute commands via the serial port.
Mandiant emphasizes that this attack methodology is unique as it circumvents many traditional detection mechanisms within Azure, granting the attacker full administrative control over the compromised virtual machines. To maintain persistence on the network and maximize their data exfiltration efforts, UNC3944 employs additional techniques while demonstrating a deep understanding of the Azure environment. This combination of technical expertise and advanced social engineering skills renders the group a significant threat.
Organizations utilizing Microsoft Azure should remain vigilant, bolster their security measures, and educate users about the risks of phishing attacks and SIM swapping. Proactive monitoring and threat detection can help identify suspicious activities and mitigate potential breaches, ensuring the protection of valuable data within the Azure environment.
