A financially motivated cyber gang tracked by Mandiant as ‘UNC3944’ uses phishing and SIM swapping attacks to hijack Microsoft Azure administrator accounts and gain access to virtual machines.

From there, attackers abuse Azure Serial Console to install remote management software for persistence and abuse Azure Extensions for stealth monitoring.

Mandiant reports that UNC3944 has been active since at least May 2022 and that its campaign aims to steal data from victim organizations using Microsoft’s cloud computing service.

UNC3944 was previously assigned creating toolkit STONESTOP (loader) and POORTRY (kernel mode driver) to terminate security software.

Threat actors used stolen Microsoft hardware developer accounts to sign their kernel drivers.

SIM card swapping between Azure admins

Initial access to the Azure admin account is done using stolen credentials acquired through SMS phishing, a common UNC3944 tactic.

Then, attackers impersonate the administrator when contacting help desk agents to trick them into texting a multi-factor reset code to the target’s phone number.

However, the attacker had already swapped the administrator’s SIM card number and ported it to his device, so he received the 2FA token without the victim realizing the breach.

Mandiant has yet to determine how the hackers carry out the SIM swapping phase of their operation. However, previous cases have shown that knowing the target’s phone number and conspiring with unscrupulous telecommunications employees are enough to facilitate ports of illicit numbers.

Once attackers gain a foothold in the targeted organization’s Azure environment, they use their administrator privileges to gather information, modify existing Azure accounts as needed, or create new ones.

Living off the land tactic

In the next attack phase, the UNC3944 uses Azure Extensions to perform surveillance and intelligence gathering, mask their malicious operations as seemingly innocuous everyday tasks, and blend in with regular activity.

Azure Extensions are “add-on” features and services that can be integrated into an Azure Virtual Machine (VM) to help extend capabilities, automate tasks, and more.

Since these extensions run inside the virtual machine and are usually used for legitimate purposes, they are both stealthy and less suspicious.

In this case, the threat actor abused built-in Azure diagnostic extensions such as “CollectGuestLogs”, which was exploited to collect log files from the hacked endpoint. Additionally, Mandiant found evidence that the threat actor was attempting to abuse the following additional extensions:

Breaching virtual machines to steal data

Then UNC3944 uses Azure Serial Console to gain administrative console access to virtual machines and run commands on a command prompt through the serial port.

“This attack method was unique in that it bypassed many traditional detection methods employed in Azure and provided the attacker with full administrative access to the VM,” says Mandiant’s report.

Mandiant noticed that “whoami” is the first command intruders execute to identify the currently logged-in user and gather enough information to continue the exploitation.

More information about log analysis for Azure Serial Console can be found in the appendix to reports.

Next, the threat actors use PowerShell to improve their persistence on the VM and install several commercially available remote administration tools not named in the report.

“To maintain their presence on the VM, the attacker often deploys several commercially available remote administration tools via PowerShell,” Mandiant’s report reads.

“The advantage of using these tools is that they are legitimately signed applications and provide the attacker with remote access without triggering alerts on many endpoint detection platforms. “

The next step for UNC3944 is to create a reverse SSH tunnel to its C2 server, to maintain stealth and persistent access through a secure channel and bypass network restrictions and security checks.

The attacker configures the reverse tunnel with port forwarding, facilitating a direct connection to the Azure VM via Remote Desktop. For example, any incoming connection to port 12345 on the remote machine would be forwarded to localhost port 3389 (Remote Desktop Protocol service port).

Finally, the attackers use the credentials of a compromised user account to log into the compromised Azure VM via reverse shell and then proceed only to extend their control within the compromised environment, by stealing data along the way.

The attack presented by Mandiant demonstrates UNC3944’s deep understanding of the Azure environment and how they can leverage built-in tools to evade detection.

When this technical know-how is combined with high-level social engineering skills that help attackers perform SIM card swaps, the risk is amplified.

At the same time, a lack of understanding of cloud technologies by organizations that deploy insufficient security measures, such as SMS-based multi-factor authentication, creates opportunities for these sophisticated threat actors.