Go to listing page

UNC3944 Threat Group Uses Azure Built-in Tools to Abuse Azure VMs

UNC3944 Threat Group Uses Azure Built-in Tools to Abuse Azure VMs
The financially-motivated group UNC3944 is using phishing and SIM-swapping attacks to target Microsoft Azure cloud services. The goal is to hijack the admin accounts of Microsoft Azure and gain access to VM. The group has been active since at least May 2022.

Detail of the campaign

According to a Mandiant report, the UNC3944 threat group was previously linked with STONESTOP (a loader) and POORTRY (kernel-mode driver) toolkit. It used using Microsoft-certified drivers to target its victims.
  • In its latest campaign, the threat actor is abusing the Azure Serial Console to install remote management software for persistence and Azure Extensions for stealthy surveillance.
  • The attackers attempt to steal data from victim organizations and use Microsoft's cloud computing service for malicious activities.

Gaining initial access

  • The threat actor gains initial access to an Azure administrator's account by using stolen credentials obtained through SMS phishing.
  • They, subsequently, contact the organization's help desk agents and impersonate an administrator, convincing them to send a multi-factor reset code through SMS to a phone number controlled by the attacker.
  • Once they gain access to the organization's Azure environment, they use their admin privileges to collect information, modify existing Azure accounts as required, or create new ones.

Use of Living-off-the-Land tactic

  • In the next stage of the attack, UNC3944 uses Azure Extensions to perform surveillance and collect information. To avoid detection, the attackers hide their malicious operations as innocuous daily tasks and blend in with regular traffic.
  • The attackers abuse the built-in Azure diagnostic extensions, such as CollectGuestLogs, to gather log files from the breached endpoint. 
  • They also abuse other Azure extensions, including VMSnapshot, Guest Configuration, Azure Network Watcher, and Guest Agent Automatic Log Collection.
  • Azure Serial Console is also exploited to obtain admin console access to the VMs and execute commands over the serial port.


UNC3944 threat group is well-versed in using built-in tools to evade detection. To stay safe, the security firm recommends that organizations should restrict access to remote administration channels on all Azure services. Further, instead of using SMS as a multi-factor authentication method, use a real-time authenticator app-based authentication.
Cyware Publisher