Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyber Gang. Show all posts

Notorious Cyber Gang UNC3944 Shifts Focus to SaaS Apps vSphere and Azure

 

The notorious cyber gang UNC3944, which is suspected of involvement in the recent attacks on Snowflake and MGM Entertainment, among other things, has modified its methods and is now targeting SaaS apps. 

According to Google Cloud's Mandiant threat intelligence team, UNC3944's operations coincide significantly with those of the assault groups known as "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider." The group's operations began with credential harvesting and SIM swapping attacks, progressed to ransomware and data theft extortion, and has now transitioned to "primarily data theft extortion, without the use of ransomware.” 

Mandiant claimed to have heard recordings of UNC3944's calls to corporate help desks, in which it attempted social engineering attacks. 

"The threat actors spoke with clear English and targeted accounts with high privilege potential,” Mandiant's researchers noted last week. In some cases, callers already possessed victims' personally identifiable information – allowing the attackers to bypass identity verification checks. 

Scammers posing as callers from UNC3944 would frequently say they were getting a new phone, requiring an MFA reset. Help desk employees would enable the attackers to reset passwords and get around MFA protections if they allowed such reset. 

"UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials," Mandiant added. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.” 

When the hackers infiltrated an organization's infrastructure, they would immediately hunt for information on tools such as VPNs, virtual desktops, and remote telework programmes that would provide persistent access. Access to Okta was another target; tampering with the vendor's single sign-on tools (SSO) allowed attackers to create accounts that could be used to log into other systems. 

VMware's vSphere hybrid cloud management tool was one of the targets of attacks resulting from compromised SSO tools. Microsoft Azure was another option. Both were intended to allow UC3944 operatives to design virtual machines within an organisation and use them for malicious purposes. This makes sense because most of an organization's resources will use IP addresses within a safe range.

Experts Urge Caution as Cyber Gang Claims to Have Erased Stolen Data in N.S. Breach

 

A cybercriminal group, known as Clop ransomware, claims to have erased the sensitive personal data of up to 100,000 Nova Scotians that was in their possession. However, cybersecurity experts advise the province to be skeptical of this assertion. 

According to the group, they conducted a hack on the MOVEit file-sharing system, affecting users globally, including the Nova Scotia government and British Airways. They recently published a statement on their website declaring that they have deleted all the data they had stolen from government entities, cities, and police services. 

The note emphasized that they had no intention of exposing such information from these public organizations. On the other hand, the group has set a deadline of June 14 for private companies to contact them for ransom negotiations. Despite Clop's seemingly benevolent gesture towards public institutions, cybersecurity experts caution the Nova Scotia government to maintain a state of vigilance. It is crucial for them to remain cautious and not let their guard down in light of this declaration.

“Clop’s claim to have deleted data belonging to public sector bodies should be assumed to be false,” said Brett Callow in an email. Callow is a Vancouver Island-based threat analyst with cybersecurity company Emsisoft.

“There is no reason for a criminal enterprise to simply delete information that may have value,” Callow said, adding that the data could be sold or traded, or used for phishing -- a type of email scam that induces people to reveal personal data.

“And even if they did delete it, that does not undo the breach.”

The government of Nova Scotia has disclosed that approximately 100,000 current and former employees in the public sector may have had their sensitive personal information compromised in a hack targeting the MOVEit software. Officials stated that the breach was detected last week and that the stolen data included social insurance numbers, addresses, and banking details.

“This is a criminal organization,” Khalehla Perrault said in an email. “We don’t consider them trustworthy, and we won’t be communicating with them.”

According to Lawrence Abrams, the owner, and editor-in-chief of cybersecurity news site bleepingcomputer.com, cybercriminals tend to target government, military, and healthcare organizations as it often leads to significant law enforcement operations. While gangs like Clop have targeted public entities before, they may intentionally avoid doing so. Abrams also warned that when hackers claim to have deleted stolen data, they might still sell or exploit it in the future.

Ian L. Paterson, the CEO of Vancouver-based cybersecurity company Plurilock, echoed Abrams' sentiment, suggesting that Clop aims for the largest possible payout while minimizing the risk of being apprehended. Paterson advised skepticism regarding the claims of data erasure. He commended the Nova Scotia government's transparency in communicating the breach to the public. Paterson viewed the incident as an opportunity for organizations and individuals to assess the security of their systems and data transmission to enhance their protection against cyber threats.

The Nova Scotia government stated that its investigation into the breach is ongoing, and affected individuals will be contacted once identified. Perrault advised potential victims to monitor their financial transactions, report any suspicious activity to their bank, and regularly check the government's dedicated website for updates on the breach.