Cybersecurity experts have identified a shift in tactics by the financially motivated threat actor known as UNC3944. This group has expanded its monetization strategies, now incorporating ransomware deployment as part of its arsenal. Mandiant, a leading threat intelligence firm, has shed light on these evolving tactics.
What sets UNC3944 apart is its growing focus on exfiltrating substantial volumes of sensitive data for extortion purposes. Notably, the group seems to have acquired an understanding of Western business practices, potentially influenced by the geographical composition of its members.
Modus Operandi of UNC3944
Their modus operandi involves a blend of publicly available tools, legitimate software, and malware obtainable through underground forums.
Operating under various aliases such as 0ktapus, Scatter Swine, and Scattered Spider, UNC3944 has been active since early 2022.
Their tactics include phone-based social engineering and SMS-based phishing to harvest valid credentials from employees through deceptive sign-in pages. This mirrors strategies employed by another group called LAPSUS$.
Initially targeting telecom and business process outsourcing (BPO) companies, UNC3944 has broadened its scope to encompass sectors like hospitality, retail, media, entertainment, and financial services.
Exploiting Victim’s Credentials for MFA Codes
One notable characteristic of UNC3944 is its exploitation of victim credentials to impersonate employees during calls to an organization’s service desk. This ploy aims to obtain multi-factor authentication (MFA) codes and password resets, facilitating unauthorized access.
It’s worth mentioning that Okta, a prominent identity and access management company, recently warned its customers about similar attacks. In these incidents, the cybercriminals contacted IT help desks to manipulate support personnel into resetting MFA codes for high-privilege accounts.
RECORDSTEALER Malware and EIGHTBAIT Phishing Kit Deployed to Steal Data
UNC3944’s tactics include the distribution of malware such as RECORDSTEALER via fake software downloads and the deployment of phishing kits like EIGHTBAIT to capture credentials. The stolen data is then transmitted to an actor-controlled Telegram channel, and tools like AnyDesk are employed to further their objectives.
The threat actor also utilizes various information stealers (e.g., Atomic, ULTRAKNOT, Meduza) and credential theft tools (e.g., MicroBurst) to obtain privileged access. Additionally, they employ commercial residential proxy services to obscure their origins, conduct extensive reconnaissance, and abuse victim organizations’ cloud resources for malicious purposes, including disabling security software.
UNC3944’s Connections with ALPHV
A noteworthy development is UNC3944’s affiliation with the BlackCat (aka ALPHV or Noberus) ransomware group. This new alliance has enabled them to breach organizations like MGM Resorts and distribute file-encrypting malware. Their operations are characterized by speed and efficiency, with critical systems accessed and large volumes of data exfiltrated within a matter of days.
In the context of ransomware deployment, UNC3944 seems to specifically target business-critical virtual machines and systems, likely aiming to maximize the impact on their victims. This shift underscores the ongoing evolution of their tactics and the need for enhanced cybersecurity measures to counter their threats.
