UNC3944's Shifting Tactics: From Phishing to Ransomware Rampage

  |  Source: 
Business Service

UNC3944's Shifting Tactics: From Phishing to Ransomware Rampage

Category: Threat Actor Activity | Industries: Business Services, Entertainment, Financial, Hospitality, Media, Retail, Telecommunication | Source: Mandiant

A hacking group tracked as "Scattered Spider," "0ktapus," and UNC3944, has quickly been establishing a name for itself, specializing in social engineering and now expanding into sophisticated ransomware attacks. In August 2022, Group-IB reported the group to have impacted over 130 organizations with 9,931 accounts being compromised. A recent report released by Mandiant dives deeper into the group’s operations noticing a shift in monetization strategies and broadened targeting, from telecommunication and business process outsourcer (BPO) companies to industries like hospitality, retail, media, entertainment, and financial services.

UNC3944's tactics include using smishing (SMS phishing) to steal credentials, often followed by calls to victim help desks to obtain multi-factor authentication (MFA) codes or password resets. Mandiant shares that once the attackers obtain "a foothold, UNC3944 often spends significant time searching through internal documentation, resources, and internal chat logs to surface information that could help facilitate escalating privileges and maintaining presence within victim environments." They rely on legitimate software, residential proxy services, and high operational tempos to overwhelm security response teams. UNC3944 excels in stealing large volumes of sensitive data for extortion and displays an understanding of Western business practices.

They frequently employ publicly available tools, create publicly accessible virtual machines, and target password managers or privileged access management systems for privilege escalation. UNC3944 also utilizes cloud resources for persistence and lateral movement, posing a significant threat to victim organizations. Their evolving tactics and broadening target base suggest they will continue to adapt and diversify their monetization strategies in the future.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now