Cybersecurity researchers from Mandiant have uncovered a hacking collective with extensive knowledge of the Azure environment, using phishing and SIM-swapping techniques to infiltrate virtual machines and exfiltrate sensitive data.
In its report, Mandiant says it is tracking the group as "UNC3944", claiming it's been active since at least May 2022.
First, the group would run SMS phishing attacks in order to obtain the passwords for Microsoft Azure admin accounts. After that, they would run a SIM-swapping attack, gaining the ability to receive multi-factor authentication (MFA) codes through SMS. Mandiant isn't sure exactly how the group SIM-swaps, but says that "knowing the target's phone number and conspiring with unscrupulous telecom employees is enough to facilitate illicit number ports".
Then, the group would impersonate the administrator and reach out to help desk agents in order to receive the MFA code and use it to access the target's Azure environment. Once inside, they'd gather information, modify existing Azure accounts, or create new ones, depending on who they compromised and what the goal at that moment is.
The next step was to use Azure Extensions add-ons to hide as they gather as much data as possible, and Azure Serial Console to gain admin console access to VMs and run commands over the serial port.
"This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM," Mandiant said in its report.
After that, the group does a number of additional moves to remain on the network, and to keep stealthy, as they identify and exfiltrate as much sensitive data as they can.
UNC3944 demonstrated a "deep understanding" of the Azure environment, Mandiant said, noting this level of technical know-how, combined with high-level social engineering skills, makes this malicious group quite dangerous.