Notorious cyber gang UNC3944 attacks vSphere and Azure to run VMs inside victims' infrastructure

Notorious cyber gang UNC3944 - the crew suspected of involvement in the recent attacks on Snowflake and MGM Entertainment, and plenty more besides - has changed its tactics and is now targeting SaaS applications

According to Google Cloud's Mandiant threat intelligence team, UNC3944's activities have plenty of overlap with attack group variously known as "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider." The group initially used credential harvesting and SIM swapping attacks in its operations, moved on to ransomware and data theft extortion, but has now shifted to "primarily data theft extortion, without the use of ransomware."

Mandiant claimed it's heard recordings of UNC3944's calls to corporate help desks, during which it attempts social engineering attacks.

"The threat actors spoke with clear English and targeted accounts with high privilege potential," Mandiant's researchers wrote last week. In some cases, callers already possessed victims' personally identifiable information - allowing the attackers to bypass identity verification checks.

UNC3944's crooked callers would often claim they were receiving a new phone, which necessitated a multi-factor authentication (MFA) reset.

If help desk staff allowed that reset, the attackers would reset passwords and bypass MFA requirements.

If social engineering doesn't work, the gang may just threaten its targets.

"UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials," Mandiant wrote. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material."

However the crooks entered an org's infrastructure, they would quickly go looking for info on tools like VPNs, virtual desktops, and remote telework utilities that would give persistent access. Access to Okta was another target - being able to mess with that vebdor's single sign-on tools (SSO) gave attackers the ability to create accounts they could use to log into other systems.

VMware's vSphere hybrid cloud management tool was one target of attacks made after compromising SSO tools. Microsoft's Azure was another. Both were targeted so that UC3944 operatives could create virtual machines within an org and use them for their evil activities. Doing so makes sense because an org's own resources will mostly use IP addresses within a range designated as safe.

SaaS is another new frontier for UNC3944.

Mandiant observed the group targeting VMware's vCenter management tool, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and Google Cloud Platform.

Office 365 was another target, helped by a Microsoft tool called Delve that the software giant promotes as helping users "to discover and organize the information that's likely to be most interesting to you right now - across Microsoft 365."

Surprise - it also helps attackers understand what info you value most, and then target that during their raids.

To steal the data, UNC3944 uses synchronization utilities such as Airbyte and Fivetran that shunt info into cloud storage resources they controlled.

Mandiant advised that "Multiple detection opportunities exist to assist with a speedier identification of possible compromise" and recommended "heightened monitoring of SaaS applications, to include centralizing logs from important SaaS-based applications, MFA re-registrations, and virtual machine infrastructure, specifically about both uptime and the creation of new devices."

"SaaS applications pose an interesting dilemma for organizations, as there is a gray area of where and who should conduct monitoring to identify issues," the infosec researchers added. "For the applications where proprietary or guarded information exists, Mandiant recommends that an organization ensures they have a robust logging capability that their security teams can review for signs of malicious intent." ®

Search
About Us
Website HardCracked provides softwares, patches, cracks and keygens. If you have software or keygens to share, feel free to submit it to us here. Also you may contact us if you have software that needs to be removed from our website. Thanks for use our service!
IT News
Jan 17
Copilot invades Microsoft 365 Personal and Family for an extra three bucks a month

Many users less than impressed by unexpected arrival of AI assistant in Word

Jan 17
Apple solves broken news alerts by turning off the AI

Summaries will return when Apple Intelligence has 'improved'

Jan 17
Brit government contractor CloudKubed enters administration

Home Office, Department for Work and Pensions supplier in hands of FRP Advisory

Jan 17
Microsoft eggheads say AI can never be made secure - after testing Redmond's own products

If you want a picture of the future, imagine your infosec team stamping on software forever

Jan 17
AWS adds 32-vCPU option and an easier on-ramp to its cloudy desktops

Weirdly, this shows the weakness of hosted Windows with an admission about vidchats

Jan 17
Just as your LLM once again goes off the rails, Cisco, Nvidia are at the door smiling

Some of you have apparently already botched chatbots or allowed 'shadow AI' to creep in

Jan 16
Google reports halving code migration time with AI help

Chocolate Factory slurps own dogfood, sheds drudgery in specific areas