Cybergang UNC3944 Switches to Using Social Engineering Attacks on SaaS Applications

• Cybersecurity firm Mandiant found that the notorious cybercrime gang UNC3944 is no longer relying on ransomware for extortion.
• It has transitioned to data exfiltration through social engineering attacks.
• The group calls company help desks, pretending to be a user and asking them to help reset their MFA. If the employee refuses, the group goes as far as physically threatening the victims.

Notorious cybergang UNC3944 has now turned its attention to SaaS applications. The group has several other aliases, such as Octo Tempest,' 0ktapus,' Scatter Swine,' and Scattered Spider,' and was recently linked with attacks on MGM Entertainment and Snowflake.

Speaking of its change of plans, the discovery was made by Google Cloud subsidiary Mandiant, which published a blog that said that the group is no longer using ransomware to target its victims as frequently and that it now has a new attack technique.

Here's what it does:

• Members of the group call company help desks, pretending to be their users. They speak fluent English and usually have a copy of the victim's information, which helps them bypass identity checks.
• Then they make up an excuse and ask for help with resetting their multi-factor authentication (MFA).
• Once this request is fulfilled, the attackers reset the victim's passwords and bypass MFA protections.
• In the event that such a social engineering attack doesn't work and the employee refuses to help, they would simply threaten the victim. This included threats about leaking personal information online as well as physical threats about harming victims or family members.
• Next, once they manage to get into the organization's infrastructure, they try to access information on tools such as VPNs, virtual desktops, and remote working.

Very important: How to quickly know if your computer is hacked?

What Software Is the Group Targeting?

According to Mandiant, it seems like UNC3944's priority right now is to access Okta accounts. If they manage to take over a vendor's single sign-on (SSO), they can create other accounts and use those to log into other systems.

The hacker gang is also targeting VMware's vSphere hybrid cloud management tool and Microsoft Azure. Once the necessary SSO tools are compromised, it creates a virtual machine within the victim's infrastructure and uses it for their own illegal activities. Moreover, since they run on secure IP addresses, it becomes even more difficult to detect malicious activity.

Another major target was Office 365, the attack on which was orchestrated with the help of a tool called Delve (by Microsoft). It is used to discover and organize the information that a user will most likely find interesting. Not only that, but it also tells hackers what you value most.

Platforms like AWS, Azure, Google Cloud Platform, and CrowdStrike have been targeted by this cybercrime group.

What Can Be Done to Stop UNC3944?

Although detection is difficult, it's not entirely impossible. Regular methods like firewalls and network flow sensors won't work, but there are other ways.

Heightened monitoring of SaaS applications, to include centralizing logs from important SaaS-based applications, MFA re-registrations, and virtual machine infrastructure, specifically about both uptime and the creation of new devices." - Mandiant's recommendation

It's well worth noting that this needs to be done as soon as possible because UNC3944 is getting stronger and better as we speak.

Mandiant warned that the gang is covering its tracks by encrypting self-created VMs or destroying data, which is making detection and prevention more difficult with each passing day.

The post Cybergang UNC3944 Switches to Using Social Engineering Attacks on SaaS Applications appeared first on The Tech Report.