The notorious cyber gang UNC3944, which is suspected of involvement in the recent attacks on Snowflake and MGM Entertainment, among other things, has modified its methods and is now targeting SaaS apps.
According to Google Cloud's Mandiant threat intelligence team, UNC3944's operations coincide significantly with those of the assault groups known as "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider." The group's operations began with credential harvesting and SIM swapping attacks, progressed to ransomware and data theft extortion, and has now transitioned to "primarily data theft extortion, without the use of ransomware.”
Mandiant claimed to have heard recordings of UNC3944's calls to corporate help desks, in which it attempted social engineering attacks.
"The threat actors spoke with clear English and targeted accounts with high privilege potential,” Mandiant's researchers noted last week. In some cases, callers already possessed victims' personally identifiable information – allowing the attackers to bypass identity verification checks.
Scammers posing as callers from UNC3944 would frequently say they were getting a new phone, requiring an MFA reset. Help desk employees would enable the attackers to reset passwords and get around MFA protections if they allowed such reset.
"UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials," Mandiant added. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.”
When the hackers infiltrated an organization's infrastructure, they would immediately hunt for information on tools such as VPNs, virtual desktops, and remote telework programmes that would provide persistent access. Access to Okta was another target; tampering with the vendor's single sign-on tools (SSO) allowed attackers to create accounts that could be used to log into other systems.
VMware's vSphere hybrid cloud management tool was one of the targets of attacks resulting from compromised SSO tools. Microsoft Azure was another option. Both were intended to allow UC3944 operatives to design virtual machines within an organisation and use them for malicious purposes. This makes sense because most of an organization's resources will use IP addresses within a safe range.