The financially motivated threat actor known as UNC3944 is turning to deploying ransomware as it expands its monetization strategies, Mandiant has revealed.
“UNC3944 was more focused on stealing large amounts of sensitive data for extortion purposes and appears to understand Western business practices, likely due to the group’s geographic makeup,” the threat intelligence firm said . said.
“UNC3944 has also always relied on publicly available tools and legitimate software, in combination with malware available for purchase on underground forums.”
The group, also known as 0ktapus, Scatter Swine, and Scattered Spider, has been active since early 2022, engaging in phone-based social engineering and SMS phishing to obtain employees’ valid credentials using fake login pages and infiltrate the victim. organizations, mirroring tactics adopted by another group called LAPSUS$.
While the group originally focused on telecommunications and business process outsourcing (BPO) companies, it has since expanded its targeting to include hospitality, retail, media and entertainment, as well as financial services, illustrating the growing threat.
One of the main characteristics of bad actors is that they are known to exploit a victim’s credentials to impersonate the employee during calls to the organization’s service desk with the aim of Obtain multi-factor authentication (MFA) codes and/or password resets.
It’s worth noting that Okta, earlier this month, warned its customers about the same attacks, with the cybercrime gang calling victims’ IT help desks to trick support staff into resetting employees’ MFA codes with elevated privileges, allowing them access. to these precious accounts.
In one case, an employee allegedly installed RECORDSTEALER malware via a fake software download, which then facilitated credential theft. Malicious login pages, crafted using phishing kits such as EIGHTBAIT and others, are capable of sending captured credentials to an actor-controlled Telegram channel and deploying AnyDesk.
The adversary has also been observed using various information stealers (e.g., Atomic, ULTRAKNOT or Meduza and Vidar) and credential stealing tools (e.g., Microburst) to obtain the privileged access necessary to achieve its objectives and increase its operations.
Part of UNC3944’s activity includes using commercial residential proxy services to access their victims to evade detection and legitimate remote access software, as well as performing deep directory reconnaissance and network to help elevate privileges and maintain persistence.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
Also noteworthy is the abuse of the victim organization’s cloud resources to host malicious utilities to disable firewall and security software and transmit them to other endpoints, highlighting the evolving knowledge -make hacking group.
The latest findings come as the group has become a subsidiary of ransomware team BlackCat (aka ALPHV or Noberus), taking advantage of its new status to infringe MGM Resorts And distribute file-encrypting malware.
“Threat actors operate at an extremely high operational tempo, accessing critical systems and exfiltrating large volumes of data in a matter of days,” Mandiant noted.
“When deploying ransomware, threat actors appear to specifically target virtual machines and other business-critical systems, likely in an effort to maximize the impact on the victim.”