Notorious cyber gang UNC3944 attacks vSphere and Azure to run VMs inside victims' infrastructure

Notorious cyber gang UNC3944 - the crew suspected of involvement in the recent attacks on Snowflake and MGM Entertainment, and plenty more besides - has changed its tactics and is now targeting SaaS applications

According to Google Cloud's Mandiant threat intelligence team, UNC3944's activities have plenty of overlap with attack group variously known as "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider." The group initially used credential harvesting and SIM swapping attacks in its operations, moved on to ransomware and data theft extortion, but has now shifted to "primarily data theft extortion, without the use of ransomware."

Mandiant claimed it's heard recordings of UNC3944's calls to corporate help desks, during which it attempts social engineering attacks.

"The threat actors spoke with clear English and targeted accounts with high privilege potential," Mandiant's researchers wrote last week. In some cases, callers already possessed victims' personally identifiable information - allowing the attackers to bypass identity verification checks.

UNC3944's crooked callers would often claim they were receiving a new phone, which necessitated a multi-factor authentication (MFA) reset.

If help desk staff allowed that reset, the attackers would reset passwords and bypass MFA requirements.

If social engineering doesn't work, the gang may just threaten its targets.

"UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials," Mandiant wrote. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material."

However the crooks entered an org's infrastructure, they would quickly go looking for info on tools like VPNs, virtual desktops, and remote telework utilities that would give persistent access. Access to Okta was another target - being able to mess with that vebdor's single sign-on tools (SSO) gave attackers the ability to create accounts they could use to log into other systems.

VMware's vSphere hybrid cloud management tool was one target of attacks made after compromising SSO tools. Microsoft's Azure was another. Both were targeted so that UC3944 operatives could create virtual machines within an org and use them for their evil activities. Doing so makes sense because an org's own resources will mostly use IP addresses within a range designated as safe.

SaaS is another new frontier for UNC3944.

Mandiant observed the group targeting VMware's vCenter management tool, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and Google Cloud Platform.

Office 365 was another target, helped by a Microsoft tool called Delve that the software giant promotes as helping users "to discover and organize the information that's likely to be most interesting to you right now - across Microsoft 365."

Surprise - it also helps attackers understand what info you value most, and then target that during their raids.

To steal the data, UNC3944 uses synchronization utilities such as Airbyte and Fivetran that shunt info into cloud storage resources they controlled.

Mandiant advised that "Multiple detection opportunities exist to assist with a speedier identification of possible compromise" and recommended "heightened monitoring of SaaS applications, to include centralizing logs from important SaaS-based applications, MFA re-registrations, and virtual machine infrastructure, specifically about both uptime and the creation of new devices."

"SaaS applications pose an interesting dilemma for organizations, as there is a gray area of where and who should conduct monitoring to identify issues," the infosec researchers added. "For the applications where proprietary or guarded information exists, Mandiant recommends that an organization ensures they have a robust logging capability that their security teams can review for signs of malicious intent." ®

About Us
Website HardCracked provides softwares, patches, cracks and keygens. If you have software or keygens to share, feel free to submit it to us here. Also you may contact us if you have software that needs to be removed from our website. Thanks for use our service!
IT News
Jul 13
Game dev accuses Intel of selling 'defective' Raptor Lake CPUs

High-end processor instability headaches, failures pushed one studio to switch to AMD

Jul 12
White House urged to double check Microsoft isn't funneling AI to China via G42 deal

Windows maker insisted everything will be locked down and secure - which given its reputation, uh-oh!

Jul 12
PowerToys bring fun tweaks to Windows 10 and 11

Friday FOSS Fest Mac migrants (if any exist) will find Powertoys Run strangely familiar

Jul 12
New Outlook set for GA despite missing some key features

Classic Outlook for Windows shuffles a little closer to the end of the road

Jul 12
Google can totally explain why Chromium browsers quietly tell only its websites about your CPU, GPU usage

OK, now tell us why this isn't an EU DMA violation - asking for a friend in Brussels

Jul 12
SAP's bid to woo open source community meets muted response

German software giant says open source is a 'catalyst for innovation' but is unlikely to release proprietary code

Jul 12
Stop installing that software - you may have just died

On Call They're called role-playing games for a reason ...