UNC3944 Threat Group Uses Azure Built-in Tools to Abuse Azure VMs

Targeting Microsoft Azure cloud services with phishing and SIM-swapping assaults is the financially motivated organisation UNC3944. The intention is to access VMs via taking control of Microsoft Azure admin accounts. The threat actor uses stolen credentials obtained through SMS phishing to gain initial access to an Azure administrator’s account.

The organisation has been functioning at least since May 2022. The UNC3944 threat group was previously connected to the STONESTOP loader and the POORTRY kernel-mode driver toolkit, per a Mandiant investigation. To find its victims, it employed drivers that were approved by Microsoft. The attackers use Microsoft’s cloud computing service for nefarious purposes and try to steal data from the affected organisations.

UNC3944 Threat Group Uses Azure Built-in Tools to Abuse Azure VMs

Solutions

Services

Services

Knowledge

Solutions

Industries

Contact

Invinsense

About

INDIA | Ahmedabad

SRI LANKA

KUWAIT

USA | New York

UNITED KINGDOM | London

Address

UNC3944 Threat Group Uses Azure Built-in Tools to Abuse Azure VMs

20-May-23

Solutions

Services

Services

Knowledge

Solutions

Industries

Contact

Invinsense

About

INDIA | Ahmedabad

SRI LANKA

KUWAIT

USA | New York

UNITED KINGDOM | London

Address