Microsoft Azure accounts gets attacked by a financially motivated cybergang who go by the name ‘UNC3944’.
Mandiant, a cybersecurity organization, actively monitors this group who tend to use phishing and SIM swapping attacks to compromise Microsoft Azure administrator accounts and gain unauthorized access to virtual machines.
Once inside, the attackers exploit the Azure Serial Console to install remote management software and establish persistence. They also utilize Azure Extensions to conduct covert surveillance without arousing suspicion.
Mandiant’s findings reveal that UNC3944 has been operating since at least May 2022. Their main goal is to steal sensitive data from targeted organizations that rely on Microsoft’s cloud computing service.
Previously, UNC3944 emerged as the creator of the STONESTOP (loader) and POORTRY (kernel-mode driver) toolkit, specifically developed to disable security software. To authenticate their kernel drivers, the threat actors resorted to utilizing stolen Microsoft hardware developer accounts.
Story credit
