UNC3944 Expands Cyber Operations to SaaS Platforms for Data Theft

Category: Threat Actor Activity | Industry: Global | Source: Mandiant

Observing one of the most potent cyber threat groups, UNC3944, Mandiant tracks this group's overlaps with known entities such as "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider." The latest findings from Mandiant tie UNC3944's activities to the compromise of Software-as-a-Service (SaaS) applications including vCenter, CyberArk, Salesforce, and cloud platforms like Azure, AWS, and Google Cloud Platform (GCP). Active since at least May 2022, the group has focused on financially motivated attacks that encompass credential harvesting and SIM swapping to facilitate data theft and extortion. Previously, their data extortion efforts involved the use of ransomware, with "ALPHV"/BlackCat being one of the variants utilized. The omission of ransomware does not diminish the threat group's effectiveness, as most groups remove ransomware encryption simply to expedite their operations. UNC3944's approach can be ruthless, as Mandiant reports, "Evidence also suggests UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material."

Mandiant’s findings reinforce that UNC3944 (along with the groups it overlaps with) employs advanced social engineering techniques to gain initial access to victim networks. Their approach is thorough, as evidenced by "Mandiant observed use of verification information, such as the last four digits of Social Security numbers, dates of birth, manager names, and job titles with associated coworkers. The level of sophistication in these social engineering attacks is evident in both the extensive research performed on potential victims and the high success rate in said attacks." They often manipulate corporate help desks to reset multi-factor authentication (MFA) or bypass security protocols. This group's strategy is marked by the use of detailed personal information about their targets, which aids them in overcoming verification challenges posed by security teams. Once access is gained, UNC3944 is known for its strategic movement within the compromised networks, leveraging administrative privileges to create and manipulate virtual machines and expand their access to critical cloud and SaaS resources. This includes abusing Okta permissions to escalate privileges and conduct reconnaissance within SaaS applications.

The technical prowess of UNC3944, as outlined by Mandiant, reveals an array of tactics, techniques, and procedures (TTPs) that underscore the group's versatility across different stages of their attack lifecycle. Notably, they engage in SMS phishing, make phone calls to help desks, and execute SIM swapping to compromise victim networks. Upon gaining access, they utilize remote access tools such as AnyDesk, ScreenConnect, and TeamViewer, or leverage publicly accessible virtual machines to maintain persistence. For privilege escalation, they use tools like Mimikatz and secretsdump.py to extract credentials from password vaults. Their internal reconnaissance tactics include employing AdRecon, AdExplorer, and native Windows utilities such as net, ping, and nltest, along with various infostealers to survey the network landscape. "UNC3944 has also leveraged Okta permissions abuse techniques through the self-assignment of a compromised account to every application in an Okta instance, expanding the scope of intrusion beyond on-premises infrastructure to Cloud and SaaS applications."

The threat actors are resourceful. According to Mandiant, "UNC3944 frequently targeted internal help guides and documentation for virtual private networks (VPN), virtual desktop infrastructure (VDI), and remote telework utilities that were available on its victims’ SharePoint sites. UNC3944 abused existing legitimate third-party tooling for remote access to compromised environments." They move laterally using methods such as Remote Desktop Protocol (RDP), valid account credentials, and SSH to extend their reach within compromised environments. To fulfill their mission objectives, they employ data exfiltration tools like Rclone, MegaSync, and DropBox, and disable system recovery features to hinder remediation efforts. Additionally, they execute batch scripts and Impacket scripts, disable Microsoft Defender, and manipulate system processes to facilitate their operations. The creation of new virtual machines acts as a covert base from which they launch further attacks and coordinate data theft.

The impact of UNC3944’s actions is extensive, with potential ramifications for data security and organizational integrity. Mandiant’s detailed analysis of UNC3944’s tactics, techniques, and procedures provides essential insights into the threat group's capabilities for organizational defense. In related news, the suspected leader of the Scattered Spider group, a British national, was arrested in Spain on June 17, 2024. While law enforcement intervention is positive, it is not a signal for defenses to be lowered, as other members can readily fill the void, given the extensive global network of cybercriminals.