UNC3944 Threat Group Uses Azure Built-in Tools to Abuse Azure VMs

20-May-23

Targeting Microsoft Azure cloud services with phishing and SIM-swapping assaults is the financially motivated organisation UNC3944. The intention is to access VMs via taking control of Microsoft Azure admin accounts. The threat actor uses stolen credentials obtained through SMS phishing to gain initial access to an Azure administrator’s account.

The organisation has been functioning at least since May 2022. The UNC3944 threat group was previously connected to the STONESTOP loader and the POORTRY kernel-mode driver toolkit, per a Mandiant investigation. To find its victims, it employed drivers that were approved by Microsoft. The attackers use Microsoft’s cloud computing service for nefarious purposes and try to steal data from the affected organisations.

Read More…