Financially Motivated UNC3944 Risk Actor Shifts Focus to Ransomware Assaults

Sep 18, 2023THNRisk Intelligence / Ransomware

The financially motivated menace actor often called UNC3944 is pivoting to ransomware deployment as a part of an growth to its monetization methods, Mandiant has revealed.

“UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographical composition of the group,” the menace intelligence agency said.

“UNC3944 has also consistently relied on publicly available tools and legitimate software in combination with malware available for purchase on underground forums.”

The group, additionally identified by the names 0ktapus, Scatter Swine, and Scattered Spider, has been energetic since early 2022, adopting phone-based social engineering and SMS-based phishing to acquire workers’ legitimate credentials utilizing bogus sign-in pages and infiltrate sufferer organizations, mirroring techniques adopted by one other group known as SLIP$.

Cybersecurity

Whereas the group initially centered on telecom and enterprise course of outsourcing (BPO) corporations, it has since expanded its concentrating on to incorporate hospitality, retail, media and leisure, and monetary companies, illustrative of the rising menace.

A key hallmark of the menace actors is that they’re identified to leverage a sufferer’s credentials to impersonate the worker on calls to the group’s service desk in an try and acquire multi-factor authentication (MFA) codes and/or password resets.

It is value noting that Okta, earlier this month, warned clients of the identical assaults, with the e-crime gang calling the victims’ IT assist desks to trick assist personnel into resetting the MFA codes for workers with excessive privileges, permitting them to realize entry to these beneficial accounts.

In a single occasion, an worker is claimed to have put in the RECORDSTEALER malware by way of a faux software program obtain, which subsequently facilitated credential theft. The rogue sign-in pages, designed utilizing phishing kits comparable to EIGHTBAIT and others, are able to sending the captured credentials to an actor-controlled Telegram channel and deploying AnyDesk.

The adversary has additionally been noticed utilizing a wide range of info stealers (e.g., Atomic, ULTRAKNOT or Meduzaand Further) and credential theft instruments (e.g., MicroBurst) to acquire the privileged entry mandatory to fulfill its targets and increase its operations.

A part of UNC3944’s exercise contains the usage of industrial residential proxy companies to entry their victims to evade detection and legit distant entry software program, in addition to conducting in depth listing and community reconnaissance to assist escalate privileges and keep persistence.

UPCOMING WEBINAR

AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks

Able to sort out new AI-driven cybersecurity challenges? Be a part of our insightful webinar with Zscaler to deal with the rising menace of generative AI in cybersecurity.

Supercharge Your Skills

Additionally noteworthy is its abuse of the sufferer group’s cloud sources to host malicious utilities to disable firewall and safety software program and ship them to different endpoints, underscoring the hacking group’s evolving tradecraft.

The newest findings come because the group is suspected to have emerged as an affiliate for the BlackCat (aka ALPHV or Noberus) ransomware crew, benefiting from its new-found standing to breach MGM Resorts and distribute the file-encrypting malware.

Nevertheless, the BlackCat ransomware group has since known as out media shops for “falsely reporting events that never happened” and that it “did not attempt to tamper with MGM’s slot machines to spit out money.” It additionally labeled reviews about “teenagers” from the U.S. and U.Ok. breaking into MGM Resorts as “rumors.”

“The threat actors operate with an extremely high operational tempo, accessing critical systems and exfiltrating large volumes of data over a course of a few days,” Mandiant identified.

“When deploying ransomware, the threat actors appear to specifically target business-critical virtual machines and other systems, likely in an attempt to maximize impact to the victim.”

(The story has been up to date after publication to incorporate a press release shared by BlackCat on its darkish internet portal disputing claims of the assault on MGM Resorts.)

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.


Author: data@thehackernews.com (The Hacker Information)
Date: 2023-09-17 23:16:00

Source link

spot_imgspot_img

Subscribe

Related articles

Insurers Use Claims Knowledge to Suggest Cybersecurity Applied sciences

Companies utilizing a managed detection and response (MDR) supplier...

Biometric fee playing cards launching in Japan, Turkey

Biometric fee playing cards and entry playing cards from...

Aussie knowledge breach report exposes provide chain dangers – Supply: www.cybertalk.org

EXECUTIVE SUMMARY: Roughly 60% of Australian organizations lack a complete...

FTC Slams Avast with $16.5 Million Effective for Promoting Customers’ Looking Information

Feb 23, 2024NewsroomPrivateness / Regulatory Compliance The U.S. Federal Commerce...
spot_imgspot_img
Alina A, Toronto
Alina A, Torontohttp://alinaa-cybersecurity.com
Alina A, an UofT graduate & Google Certified Cyber Security analyst, currently based in Toronto, Canada. She is passionate for Research and to write about Cyber-security related issues, trends and concerns in an emerging digital world.

LEAVE A REPLY

Please enter your comment!
Please enter your name here