Mandiant, which is owned by Google, reports that the group behind the recent MGM Resorts hack is now targeting more victims and exploring new ways of making money.
This hacking group, known by various names such as UNC3944, 0ktapus, Scatter Swine, and Scattered Spider, has successfully infiltrated over 100 organizations, primarily in the United States and Canada. The group is known for their SMS phishing campaigns (also known as smishing), however, they have been actively developing their expertise and expanding their collection of tools. As a result, they are anticipated to soon start focusing on a wider range of industries.
Additionally, Mandiant observed a significant change in the group’s tactics in mid-2023, as they began focusing on deploying ransomware, a potentially lucrative endeavor. In some attacks, the hackers used the ALPHV (BlackCat) ransomware. However, Mandiant believes that they may also utilize other types of ransomware and develop new ways to make more money in the future.
Since late 2021, the threat actor has been actively engaging in smishing in order to acquire legitimate employee credentials. They then proceed to contact the targeted organization’s help desk, posing as the employees, in order to obtain multi-factor authentication (MFA) codes or to reset account passwords.
The hacking group has been observed giving different types of verification information that the help desk asked for, such as personally identifiable information (PII), employee ID, and username.
UNC3944 uses phishing pages that appear legitimate. These pages often mimic service desk or single sign-on (SSO) interfaces. This technique makes the phishing attempts more convincing by using information obtained from the victim’s network access.
Since 2021, the group has used at least three phishing kits. These include EightBait, which can deploy AnyDesk to victims’ systems, as well as two phishing kits that were built using a targeted organization’s webpage. These two kits have few code changes between them.
The group not only engaged in smishing and social engineering, but they were also found to be utilizing a credential harvesting tool. They went to great lengths to meticulously search a victim’s internal systems, in order to discover valid login information. Additionally, they employed publicly available tools to harvest credentials from internal GitHub repositories, and took advantage of the open source tool MicroBurst to uncover Azure credentials and secrets.
Mandiant has determined that UNC3944 is utilizing information stealers to gather credentials, which include Ultraknot (also known as Meduza stealer), Vidar, and Atomic.
UNC3944 intrusions are characterized by their innovative, tenacious, and progressively successful attacks on victims’ cloud resources. This straAccording to Mandiant, tegy allows threat actors to gain a initial position for future actions, conduct network and directory reconnaissance, and access sensitive systems and data stores.
Mandiant found that UNC3944 used Microsoft Entra to access restricted resources and create virtual machines for unmonitored access. They also abused Azure Data Factory to steal data and used victims’ cloud environments to host malicious tools and move around.
UNC3944 is a rapidly evolving threat that constantly enhances its skills and tactics to successfully diversify its strategies for monetization. Mandiant notes that it is expected for these threat actors to continuously enhance their skills and utilize underground communities for assistance, in order to make their operations more effective.