A threat group known as UNC3944 (also known as Roasted 0ktapus and Scattered Spider) has been observed hijacking Microsoft Azure admin accounts through phishing and SIM-swapping attacks. The financially motivated group bypasses traditional detection methods within Azure and gains full administrative access to compromised virtual machines (VMs) within victim organizations using Microsoft’s cloud computing service. They have been active since late last year, primarily targeting telecommunications and business process outsourcing (BPO) companies.
The attackers exploit the Azure Serial Console to install remote management software for persistence and abuse Azure Extensions for stealthy surveillance. By leveraging stolen credentials obtained through SMS phishing, the threat actors impersonate administrators to trick help desk agents into sending a multifactor reset code via SMS. The attackers perform SIM swapping to receive the 2FA token without the victim’s knowledge. Once inside the Azure environment, UNC3944 utilizes administrator privileges to gather information and modify or create Azure accounts. They employ Azure Extensions, such as diagnostic features, for surveillance and data gathering. UNC3944 further gains administrative access to VMs using the Azure Serial Console, running commands, and employing PowerShell to enhance persistence and install remote administration tools. Additionally, the group uses a loader called STONESTOP to install a malicious signed driver named POORTRY, enabling them to terminate security software processes and carry out BYOVD (Bring Your Own Vulnerable Device) attacks. The attackers create a reverse SSH tunnel for secure and persistent access, bypassing network restrictions. Finally, they utilize compromised user account credentials to log into the compromised VMs and expand control within the breached environment, stealing data along the way.
UNC3944’s attack demonstrates their deep understanding of Azure and their ability to evade detection by leveraging built-in tools. Organizations’ insufficient security measures and limited knowledge of cloud technologies, such as relying on SMS-based multifactor authentication, create opportunities for these sophisticated threat actors. To enhance security, organizations should limit access to remote administration channels and avoid using SMS as a multifactor authentication method whenever feasible. It is advisable to review user account permissions, ensuring they are not excessively permissive, and implement Conditional Access Authentication Strength policies that align with best practices. These measures contribute to a more secure environment and help prevent unauthorized access.