A financially motivated group of attackers, tracked by MANDIANT specialists under the UNC3944 identifier, uses phishing attacks and the SIM SwApping method to hack the Microsoft Azure Administrator and access to virtual machines.
mandiant reports that the unc3944 group has been active since May 2022 , and its harmful campaigns are usually aimed at theft of data from organizations using the Microsoft cloud computing service.
The initial access to the Azure administrator account is carried out using stolen accounts obtained as a result of SMS-fitting, quite familiar tactics for UNC3944.
Then the attackers turn to the Azure support service agents, improving themselves as a target organization’s administrator in order to deceive the support of support employees to send a SMS code of confirmation to the phone number of this administrator.
However, support agents do not know that hackers produced SIM-SWApping in advance and took possession of the administrator number. In this regard, scammers receive the SMS code they need, and a real administrator does not even realize that someone outsiders received system access.
mandiant has yet to determine how specifically hackers perform SIM Swapping in their fraudulent scheme, however, previous cases show that for illegal transfer of the number it is enough to know the victim’s phone number and have some agreements with unfair employees of the telecommunication company.
Scheme of system access azure
As soon as attackers are fixed in the Azure environment of the target organization, they use their rights to the administrator to collect information, changes the existing accounts of Azure (as necessary) or create new ones.
At the next stage, UNC3944 hackers use Azure extensions to conduct observation and collection of information, masking their malicious operations to seemingly harmless everyday tasks, combining them, including with ordinary activity.
Azure extensions are “additional” functions and services that can be integrated into the Azure virtual machine to expand capabilities, automation of tasks, etc. Since these extensions are performed inside the virtual machine and are usually used for legal purposes, they almost never cause suspicion.
In the Mandiant of the malicious campaign, the attackers abused the Azure’s built -in diagnostic extensions, such as “CollectGuestlogs”, which were used by hackers to collect magazine files with a hacked end point. In addition, Mandiant discovered evidence that hackers tried to abuse other extensions: Azure Network Watcher, Guess Agent Automatic Log Collection, Vmsnapshot, Guest Configuration.
Next, the UnC3944 used the Azure consumer console to access virtual machines and launch malicious commands through a sequential port.