UNC3944, a hacking group also known as “0ktapus” and “Scattered Spider” has pivoted to targeting Software-as-a-Service (SaaS) applications, according to Google Cloud’s Mandiant threat intelligence team. The group, linked to previous incidents involving companies such as Snowflake and MGM Entertainment, has modified its attack strategies and is now concentrating on data theft extortion.
UNC3944 exploits legitimate third-party tools for remote access and leverages Okta permissions to broaden their intrusion scope. A notable feature of these intrusions involves creating new virtual machines in VMware vSphere and Microsoft Azure, utilizing administrative permissions tied through SSO applications for subsequent activities.
Commonly available utilities help reconfigure virtual machines (VM), deactivate security protocols, and download tools such as Mimikatz and ADRecon, a tool that extracts and combines various artifacts out of an Active Directory AD/Microsoft Entra ID environment.
New Attack Methods
In the past, UNC3944 focused on various techniques. Over time, their repertoire has grown to include ransomware and extortion centered on stealing data. The group has been active since at least May 2022, advancing their tactics to include resilience mechanisms against virtualization platforms and lateral movement by abusing SaaS permissions.
They have also employed SMS phishing to reset passwords and bypass multi-factor authentication (MFA). Once inside, UNC3944 conducts thorough reconnaissance of Microsoft applications like SharePoint to understand remote connection needs.
Analysis by Google Cloud’s Mandiant threat intelligence team shows the group’s current primary activity is data theft without the use of ransomware. Recordings unveiled expert social engineering tactics, where attackers, proficient in English, utilize detailed personal information to skirt identity checks by targeting employees with high-level access.
Attackers posing as employees often contact help desks to request multi-factor authentication (MFA) resets for setting up new phones. If the help desk staff complies, attackers can easily bypass MFA and reset passwords. Should social engineering fail, UNC3944 resorts to threats, including doxxing, physical threats, or releasing compromising material to coerce credentials from victims. Once they gain access, the attackers gather information on tools like VPNs, virtual desktops, and remote work utilities to maintain consistent access.
Targeting SaaS and Cloud Platforms
UNC3944 has also been found targeting Okta’s single sign-on (SSO) tools, which allows them to create accounts that facilitate access to multiple systems. Their attacks extend to VMware’s vSphere hybrid cloud management tool and Microsoft Azure, where they create virtual machines for malicious purposes. Using an organization’s resources, the attackers operate within a trusted IP address range, complicating detection.
Additional targets include SaaS applications like VMware’s vCenter, CyberArk, Salesforce, CrowdStrike, Amazon Web Services (AWS), and Google Cloud. Office 365 is another point of focus, with attackers utilizing Microsoft’s Delve tool to identify valuable information. To exfiltrate data, they use synchronization utilities such as Airbyte and Fivetran to transfer information to their own cloud storage.
The group has also targeted Active Directory Federation Services (ADFS) to extract certificates and employ Golden SAML attacks for continued access to cloud applications. They leverage Microsoft 365 capabilities like Office Delve for quick reconnaissance and data mining. Mandiant advises deploying host-based certificates with MFA for VPN access, implementing stricter conditional access policies, and enhancing monitoring for SaaS apps.
Consolidating logs from crucial SaaS applications and monitoring virtual machine setups can identify potential breaches.
Last Updated on November 7, 2024 3:57 pm CET
