UNC3944 initiates its attack by conducting SMS phishing campaigns to obtain the passwords of Microsoft Azure admin accounts. Subsequently, they employ SIM-swapping methods to gain control over the target’s mobile device, allowing them to intercept multi-factor authentication (MFA) codes sent via SMS. While the exact approach used for SIM-swapping remains unknown, Mandiant suggests that collaboration with unscrupulous telecom employees and possession of the target’s phone number are sufficient for illicit number ports.
Once armed with the admin credentials and MFA codes, the group assumes the identity of the administrator and contacts help desk agents to request the MFA code. With access granted, UNC3944 proceeds to infiltrate the Azure environment, gathering information, modifying existing accounts, or creating new ones depending on their objectives. They leverage Azure Extensions add-ons to conceal their presence while collecting as much data as possible and exploit Azure Serial Console to gain administrative access to virtual machines and execute commands via the serial port.
