Saturday , June 21 2025

MGM hacker hit at least 100 organizations

Mandiant, which is owned by Google, reports that the group behind the recent MGM Resorts hack is now targeting more victims and exploring new ways of making money.

This hacking group, known by various names such as UNC3944, 0ktapus, Scatter Swine, and Scattered Spider, has successfully infiltrated over 100 organizations, primarily in the United States and Canada. The group is known for their SMS phishing campaigns (also known as smishing), however, they have been actively developing their expertise and expanding their collection of tools. As a result, they are anticipated to soon start focusing on a wider range of industries.

Russia detects first SuperCard malware attacks via NFC

Russian cybersecurity experts discovered the first local data theft attacks using a modified version of legitimate near field communication (NFC)...
Read More
Russia detects first SuperCard malware attacks via NFC

Income Property Investments exposes 170,000+ Individuals record

Cybersecurity researcher Jeremiah Fowler discovered an unsecured database with 170,360 records belonging to a real estate company. It contained personal...
Read More
Income Property Investments exposes 170,000+ Individuals record

ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs

GreyNoise found attempts to exploit CVE-2023-28771, a vulnerability in Zyxel's IKE affecting UDP port 500. The attack centers around CVE-2023-28771,...
Read More
ALERT (CVE: 2023-28771)  Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs

CISA Flags Active Exploits in Apple iOS and TP-Link Routers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included two high-risk vulnerabilities in its Known Exploited Vulnerabilities (KEV)...
Read More
CISA Flags Active Exploits in Apple iOS and TP-Link Routers

10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online

SafetyDetectives’ Cybersecurity Team discovered a public post on a clear web forum in which a threat actor claimed to have...
Read More
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online

Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems

WestJet, Canada's second-largest airline, is looking into a cyberattack that has affected some internal systems during its response to the...
Read More
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems

Paraguay 7.4 Million Citizen Records Leaked on Dark Web

Resecurity found 7.4 million records of Paraguayan citizens' personal information leaked on the dark web today. Last week, cybercriminals attempted...
Read More
Paraguay 7.4 Million Citizen Records Leaked on Dark Web

High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation

HashiCorp has revealed a critical vulnerability in its Nomad tool that may let attackers gain higher privileges by misusing the...
Read More
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation

SoftBank: Over 137,000 personal info leaked

SoftBank has disclosed that personal information of more than 137,000 mobile subscribers—covering names, addresses, and phone numbers—might have been leaked...
Read More
SoftBank: Over 137,000 personal info leaked

Alert
Trend Micro Apex One Flaw Allow Attackers to Inject Malicious Code

Serious security vulnerabilities in Trend Micro Apex One could allow attackers to inject malicious code and elevate their privileges within...
Read More
Alert  Trend Micro Apex One Flaw Allow Attackers to Inject Malicious Code

Additionally, Mandiant observed a significant change in the group’s tactics in mid-2023, as they began focusing on deploying ransomware, a potentially lucrative endeavor. In some attacks, the hackers used the ALPHV (BlackCat) ransomware. However, Mandiant believes that they may also utilize other types of ransomware and develop new ways to make more money in the future.

Since late 2021, the threat actor has been actively engaging in smishing in order to acquire legitimate employee credentials. They then proceed to contact the targeted organization’s help desk, posing as the employees, in order to obtain multi-factor authentication (MFA) codes or to reset account passwords.

The hacking group has been observed giving different types of verification information that the help desk asked for, such as personally identifiable information (PII), employee ID, and username.

UNC3944 uses phishing pages that appear legitimate. These pages often mimic service desk or single sign-on (SSO) interfaces. This technique makes the phishing attempts more convincing by using information obtained from the victim’s network access.

Since 2021, the group has used at least three phishing kits. These include EightBait, which can deploy AnyDesk to victims’ systems, as well as two phishing kits that were built using a targeted organization’s webpage. These two kits have few code changes between them.

The group not only engaged in smishing and social engineering, but they were also found to be utilizing a credential harvesting tool. They went to great lengths to meticulously search a victim’s internal systems, in order to discover valid login information. Additionally, they employed publicly available tools to harvest credentials from internal GitHub repositories, and took advantage of the open source tool MicroBurst to uncover Azure credentials and secrets.

Mandiant has determined that UNC3944 is utilizing information stealers to gather credentials, which include Ultraknot (also known as Meduza stealer), Vidar, and Atomic.

UNC3944 intrusions are characterized by their innovative, tenacious, and progressively successful attacks on victims’ cloud resources. This straAccording to Mandiant, tegy allows threat actors to gain a initial position for future actions, conduct network and directory reconnaissance, and access sensitive systems and data stores.

Mandiant found that UNC3944 used Microsoft Entra to access restricted resources and create virtual machines for unmonitored access. They also abused Azure Data Factory to steal data and used victims’ cloud environments to host malicious tools and move around.

UNC3944 is a rapidly evolving threat that constantly enhances its skills and tactics to successfully diversify its strategies for monetization. Mandiant notes that it is expected for these threat actors to continuously enhance their skills and utilize underground communities for assistance, in order to make their operations more effective.

Check Also

FortiGate

Hackers retain access to patched FortiGate VPNs using symlinks

Recent incidents continue to bring this into focus with active exploitations of known vulnerabilities as …

Leave a Reply

Your email address will not be published. Required fields are marked *