Mandiant has identified a financially driven cybergroup known as ‘UNC3944’ that is utilizing phishing and SIM swapping attacks to compromise Microsoft Azure admin credentials and get access to virtual machines.
The attackers then use the Azure Serial Console to install remote management software and Azure Extensions for stealthy surveillance.
As stated by Mandiant, UNC3944 has been active since at least May 2022, and their campaign tries to collect data from victims by leveraging Microsoft’s cloud computing service.
Previously, UNC3944 was credited with developing the STONESTOP (loader) and POORTRY (kernel-mode driver) toolkits for terminating security applications.
Previously, UNC3944 was credited with developing the STONESTOP (loader) and POORTRY (kernel-mode driver) toolkits for terminating security applications.
To sign their kernel drivers, the threat actors used stolen Microsoft hardware developer accounts.
The initial access to the Azure administrator’s account is made with stolen credentials obtained by SMS phishing, a frequent UNC3944 method.
The attackers then impersonate the administrator when calling help desk agents in order to deceive them into delivering a multi-factor reset code to the target’s phone number via SMS. However, because the attacker had previously SIM-swapped and copied the administrator’s number to their device, they obtained the 2FA token without the victim being aware of the breach.
Mandiant is still investigating how the hackers carry out the SIM-changing part of their operation. Previous e
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: