Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Microsoft Azure accounts hit with phishing attacks to hijack virtual machines

Cloud computing concept represented by a server room, with a cloud representation hologram concept.

Cybersecurity researchers from Mandiant have uncovered a hacking collective with extensive knowledge of the Azure environment, using phishing and SIM-swapping techniques to infiltrate virtual machines and exfiltrate sensitive data.

In its report, Mandiant says it is tracking the group as “UNC3944”, claiming it’s been active since at least May 2022. 

First, the group would run SMS phishing attacks in order to obtain the passwords for Microsoft Azure admin accounts. After that, they would run a SIM-swapping attack, gaining the ability to receive multi-factor authentication (MFA) codes through SMS. Mandiant isn’t sure exactly how the group SIM-swaps, but says that “knowing the target's phone number and conspiring with unscrupulous telecom employees is enough to facilitate illicit number ports”.

Impersonating admins

Then, the group would impersonate the administrator and reach out to help desk agents in order to receive the MFA code and use it to access the target’s Azure environment. Once inside, they’d gather information, modify existing Azure accounts, or create new ones, depending on who they compromised and what the goal at that moment is. 

The next step was to use Azure Extensions add-ons to hide as they gather as much data as possible, and Azure Serial Console to gain admin console access to VMs and run commands over the serial port. 

"This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM," Mandiant said in its report.

After that, the group does a number of additional moves to remain on the network, and to keep stealthy, as they identify and exfiltrate as much sensitive data as they can.

UNC3944 demonstrated a “deep understanding” of the Azure environment, Mandiant said, noting this level of technical know-how, combined with high-level social engineering skills, makes this malicious group quite dangerous.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.