Microsoft Azure’s virtual machines (VMs) have fallen victim to what cybersecurity experts consider to be one of the most sophisticated financially-motivated cyberattacks. The security breach has sent shockwaves through the cybersecurity community, raising serious questions about the security of cloud computing environments.

Cybersecurity researchers from Mandiant have identified a well-organized malicious group with extensive Azure environment know-how. The attack vectors have launched an online assault using SIM-swapping and phishing techniques to break into virtual machines. Their potential to exfiltrate sensitive data on large-scale cloud platforms puts enterprise-level data at risk.

Mandiant, in its report, stated that they have been keeping track of the group, identified as ‘UNC3944’. The cybersecurity researchers further added that the malicious group has been operational since May 2022 or even before.


Cloud Storage Spaces at Risk with Unauthorized Access

Mandiant has also pointed out the vulnerability of data stored in cloud spaces. The threat vector has demonstrated its capability to evade software detections while accessing sophisticated platforms like Azure Cloud.

The key motive of this malicious group is to steal valuable data by exploiting cloud storage spaces for financial gain. Naturally, enterprise data is at risk, with organizations counting on cloud storage spaces becoming potential victims of data extortion.


cloud storage threats

Image sourced from


The malicious group can compromise administrative credentials through its smishing (SMS-based phishing) campaigns. They may also gain control of Azure tenants, analyze Azure configurations, carry out data thefts, and access data in the VMs.

It’s worth noting that the same attack vector successfully leveraged signed drivers to exploit Microsoft’s environments. The threat actors have been bent on infiltrating businesses’ databases in sectors like finance, telecom BPO, and managed security services. They have already carried out phishing attacks through SMSs on their targets.

In the past, UNC3944 has created the POORTRY (kernel-mode driver) and STONESTOP (loader) toolkits for evading security mechanisms. The attackers used the stolen hardware developer of Microsoft to sign their kernel drivers into the accounts.


How Does the New Cyberattack Module Work?

The attack vectors have demonstrated outright sophistication while launching new online assaults on cloud platforms. At the outset, malicious actors run phishing campaigns through SMS. That enables them to obtain the passwords of the admin accounts of Microsoft Azure.

The second stage of the well-organized cyberattack module involves running a SIM-swapping attack. It enables the attackers to gain access to the MFA codes via SMS.

However, the cybersecurity researchers aren’t sure how the group carries out the SIM swaps. They conjecture that the attackers probably know the victim’s phone number. They may be conspiring with unscrupulous telecom employees, thereby illegally porting numbers.


The Attackers Impersonate Admins to Deceive Microsoft

Besides the above steps of attack, the threat actors would also impersonate the Microsoft administrator. It grants them access to the desk agents to obtain the MFA code. Next, they could deploy this code to access Azure’s target environment.


attackers Impersonate Admins


Once infiltrating into the cloud environment, the attackers would gather information and create new accounts or modify the existing ones of Azure. The nature of their operation largely depends on their goals and who the victim is.

Next, the attackers conceal the gathered data using Extensions add-ons. They also gain access to the VMs through Azure Serial Console to run commands over the serial port.

The cybersecurity researchers consider the new attack module ‘quite unique.’ It could successfully dodge most traditional methods to detect unauthorized access to the Azure environment. Ultimately, the attackers gain full administrative access to the virtual machines

Once they access Microsoft’s VMs, they remain stealthy on the network by executing several additional moves. Their ability to linger on the network in stealth mode empowers them further to exfiltrate sensitive data over time.


How Does Cloud Security Stand in the Wake of the Attack?

Expressing concerns about cloud security, Mandiant added that the attack vectors have a deep understanding of the cloud environment of Azure. Combined with social engineering skills, their high level of technical knowledge makes the malicious players quite dangerous.

Identifying the knowledge gap while using cloud technologies at the organizational level is crucial. Deploying inadequate security mechanisms enables the attack vectors to exploit the vulnerabilities easier.


Final Words

The authorities need to look beyond MFAs and SMSs to strengthen their line of defense. With online threats gaining sophistication consistently over the years, it’s time for CEOs and business heads to consult managed security services.




The intensity of attacks and intelligence of the malicious players tend to outwit the most sophisticated defense mechanisms. One must wait and see whether Microsoft will develop a more vigilant and proactive stance to prevent future unauthorized data access attempts.

Pin It on Pinterest

Share This