Financially Motivated UNC3944 Risk Actor Shifts Focus to Ransomware Assaults

Sep 18, 2023THNRisk Intelligence / Ransomware

The financially motivated menace actor often called UNC3944 is pivoting to ransomware deployment as a part of an growth to its monetization methods, Mandiant has revealed.

“UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographical composition of the group,” the menace intelligence agency said.

“UNC3944 has also consistently relied on publicly available tools and legitimate software in combination with malware available for purchase on underground forums.”

The group, additionally identified by the names 0ktapus, Scatter Swine, and Scattered Spider, has been energetic since early 2022, adopting phone-based social engineering and SMS-based phishing to acquire workers’ legitimate credentials utilizing bogus sign-in pages and infiltrate sufferer organizations, mirroring techniques adopted by one other group known as SLIP$.

Whereas the group initially centered on telecom and enterprise course of outsourcing (BPO) corporations, it has since expanded its concentrating on to incorporate hospitality, retail, media and leisure, and monetary companies, illustrative of the rising menace.

A key hallmark of the menace actors is that they’re identified to leverage a sufferer’s credentials to impersonate the worker on calls to the group’s service desk in an try and acquire multi-factor authentication (MFA) codes and/or password resets.

It is value noting that Okta, earlier this month, warned clients of the identical assaults, with the e-crime gang calling the victims’ IT assist desks to trick assist personnel into resetting the MFA codes for workers with excessive privileges, permitting them to realize entry to these beneficial accounts.

In a single occasion, an worker is claimed to have put in the RECORDSTEALER malware by way of a faux software program obtain, which subsequently facilitated credential theft. The rogue sign-in pages, designed utilizing phishing kits comparable to EIGHTBAIT and others, are able to sending the captured credentials to an actor-controlled Telegram channel and deploying AnyDesk.

The adversary has additionally been noticed utilizing a wide range of info stealers (e.g., Atomic, ULTRAKNOT or Meduzaand Further) and credential theft instruments (e.g., MicroBurst) to acquire the privileged entry mandatory to fulfill its targets and increase its operations.

A part of UNC3944’s exercise contains the usage of industrial residential proxy companies to entry their victims to evade detection and legit distant entry software program, in addition to conducting in depth listing and community reconnaissance to assist escalate privileges and keep persistence.

Additionally noteworthy is its abuse of the sufferer group’s cloud sources to host malicious utilities to disable firewall and safety software program and ship them to different endpoints, underscoring the hacking group’s evolving tradecraft.

The newest findings come because the group is suspected to have emerged as an affiliate for the BlackCat (aka ALPHV or Noberus) ransomware crew, benefiting from its new-found standing to breach MGM Resorts and distribute the file-encrypting malware.

Nevertheless, the BlackCat ransomware group has since known as out media shops for “falsely reporting events that never happened” and that it “did not attempt to tamper with MGM’s slot machines to spit out money.” It additionally labeled reviews about “teenagers” from the U.S. and U.Ok. breaking into MGM Resorts as “rumors.”

“The threat actors operate with an extremely high operational tempo, accessing critical systems and exfiltrating large volumes of data over a course of a few days,” Mandiant identified.

“When deploying ransomware, the threat actors appear to specifically target business-critical virtual machines and other systems, likely in an attempt to maximize impact to the victim.”

(The story has been up to date after publication to incorporate a press release shared by BlackCat on its darkish internet portal disputing claims of the assault on MGM Resorts.)