A threat actor with a history of targeting Microsoft servers has recently gained control over virtual machines (VMs) and installed third-party remote management software within clients’ cloud environments. The Mandiant Intelligence team has identified this actor, known as UNC3844, evading security software detections on Azure cloud platforms. Their primary objective is to exploit cloud storage spaces, steal valuable data for financial gain, and potentially threaten victims through data extortion.
Compromising administrative credentials through smishing campaigns allows UNC3844 to take control of Azure tenants, enabling them to perform data theft, analyze Azure configurations, and assess the data residing within VMs.
UNC3844 has previously been identified as a threat group involved in exploiting Microsoft environments by leveraging signed drivers for post-exploitation activities. Their focus has primarily been on infiltrating the databases of companies in sectors such as telecom BPO, finance, and managed security services. Phishing attacks via SMS operations have been their preferred method of targeting victims.
In other news, Microsoft has introduced an interesting approach to assign weather-related nomenclature to nations engaged in espionage and cyber attacks. For example, China is referred to as “Typhoon,” Iran as “Sandstorm,” and Russia as “Blizzard.” This change aims to provide a more intuitive way of understanding and referring to countries involved in cyber activities. Similar to the use of scientific names for flora and fauna, this approach allows cybersecurity professionals, educators, and students worldwide to easily identify and comprehend the referenced nations.For example, an elephant is called with different names in different parts of the world, based on the spoken language, of course! But when we take its scientific name, Elephantidae, all the learnt folks can relate it to the world largest terrestrial mammal.