Notorious cyber gang UNC3944 attacks vSphere and Azure to run VMs inside victims' infrastructure

Notorious cyber gang UNC3944 – the crew suspected of involvement in the recent attacks on Snowflake and MGM Entertainment, and plenty more besides – has changed its tactics and is now targeting SaaS applications

According to Google Cloud's Mandiant threat intelligence team, UNC3944's activities have plenty of overlap with attack group variously known as "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider." The group initially used credential harvesting and SIM swapping attacks in its operations, moved on to ransomware and data theft extortion, but has now shifted to "primarily data theft extortion, without the use of ransomware."

Mandiant claimed it's heard recordings of UNC3944's calls to corporate help desks, during which it attempts social engineering attacks.

"The threat actors spoke with clear English and targeted accounts with high privilege potential,” Mandiant's researchers wrote last week. In some cases, callers already possessed victims' personally identifiable information – allowing the attackers to bypass identity verification checks.

UNC3944's crooked callers would often claim they were receiving a new phone, which necessitated a multi-factor authentication (MFA) reset.

If help desk staff allowed that reset, the attackers would reset passwords and bypass MFA requirements.

If social engineering doesn’t work, the gang may just threaten its targets.

"UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials," Mandiant wrote. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material."

However the crooks entered an org's infrastructure, they would quickly go looking for info on tools like VPNs, virtual desktops, and remote telework utilities that would give persistent access. Access to Okta was another target – being able to mess with that vebdor's single sign-on tools (SSO) gave attackers the ability to create accounts they could use to log into other systems.

VMware's vSphere hybrid cloud management tool was one target of attacks made after compromising SSO tools. Microsoft's Azure was another. Both were targeted so that UC3944 operatives could create virtual machines within an org and use them for their evil activities. Doing so makes sense because an org's own resources will mostly use IP addresses within a range designated as safe.

SaaS is another new frontier for UNC3944.

Mandiant observed the group targeting VMware's vCenter management tool, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and Google Cloud Platform.

Office 365 was another target, helped by a Microsoft tool called Delve that the software giant promotes as helping users "to discover and organize the information that's likely to be most interesting to you right now – across Microsoft 365."

Surprise – it also helps attackers understand what info you value most, and then target that during their raids.

To steal the data, UNC3944 uses synchronization utilities such as Airbyte and Fivetran that shunt info into cloud storage resources they controlled.

Mandiant advised that "Multiple detection opportunities exist to assist with a speedier identification of possible compromise" and recommended "heightened monitoring of SaaS applications, to include centralizing logs from important SaaS-based applications, MFA re-registrations, and virtual machine infrastructure, specifically about both uptime and the creation of new devices."

"SaaS applications pose an interesting dilemma for organizations, as there is a gray area of where and who should conduct monitoring to identify issues," the infosec researchers added. "For the applications where proprietary or guarded information exists, Mandiant recommends that an organization ensures they have a robust logging capability that their security teams can review for signs of malicious intent." ®