Friday , July 12 2024

MGM hacker hit at least 100 organizations

Mandiant, which is owned by Google, reports that the group behind the recent MGM Resorts hack is now targeting more victims and exploring new ways of making money.

This hacking group, known by various names such as UNC3944, 0ktapus, Scatter Swine, and Scattered Spider, has successfully infiltrated over 100 organizations, primarily in the United States and Canada. The group is known for their SMS phishing campaigns (also known as smishing), however, they have been actively developing their expertise and expanding their collection of tools. As a result, they are anticipated to soon start focusing on a wider range of industries.

CVE-2024-5910
Critical Vulnerability Threatens Palo Alto Networks’ Expedition

Palo Alto Networks has issued a critical security advisory outlining numerous vulnerabilities across its product lines, such as PAN-OS, Cortex...
Read More
CVE-2024-5910  Critical Vulnerability Threatens Palo Alto Networks’ Expedition

Vulnerabilities in GitLab Allows Attackers to Execute Unauthorized Pipelines

GitLab has issued a warning about a serious vulnerability in its GitLab Community and Enterprise editions. This vulnerability allows attackers...
Read More
Vulnerabilities in GitLab Allows Attackers to Execute Unauthorized Pipelines

Adobe Issues Critical Security Patches for Various Products

Adobe released security updates to fix several vulnerabilities in their software. These vulnerabilities could be used by cyber attackers to...
Read More
Adobe Issues Critical Security Patches for Various Products

CISA Warns Hacker Use OS Command Injection Vulnerabilities to Compromise Systems

OS command injection vulnerabilities are a preventable type of weakness in software. Manufacturers can eliminate them by taking a secure...
Read More
CISA Warns Hacker Use OS Command Injection Vulnerabilities to Compromise Systems

Pakistan allows spy agency to intercept phone messages, calls

The Pakistan Ministry of Information Technology and Telecommunication has given permission to the Inter-Services Intelligence (ISI) to intercept citizens’ phone...
Read More
Pakistan allows spy agency to intercept phone messages, calls

Citrix Issues Critical Security Advisory for NetScaler

Citrix has warned users about severe vulnerabilities in their widely-used NetScaler products. These vulnerabilities, known as CVE-2024-6235 and CVE-2024-6236, could...
Read More
Citrix Issues Critical Security Advisory for NetScaler

(CVE-2024-38080, CVE-2024-38112)
Microsoft July Patch Tuesday fixes 142 flaws, 4 zero-days

Microsoft's July 2024 Patch Tuesday includes security updates for 142 flaws, including two zero-days that are actively exploited and two...
Read More
(CVE-2024-38080, CVE-2024-38112)  Microsoft July Patch Tuesday fixes 142 flaws, 4 zero-days

EXCLUSIVE
Analysis of 3 Ransomware Threats Active Right Now

Three emerging threats will be discussed below, along with how sandbox analysis can be utilized to detect them proactively. Lockbit...
Read More
EXCLUSIVE  Analysis of 3 Ransomware Threats Active Right Now

AVAST RELEASED DECRYPTOR FOR DONEX RANSOMWARE

Avast researchers found a security flaw in the DoNex ransomware and its previous versions, which allowed them to create a...
Read More
AVAST RELEASED DECRYPTOR FOR DONEX RANSOMWARE

Critical Security Advisory for Apache CloudStack

The Apache Software Foundation has warned about two serious security issues (CVE-2024-38346 and CVE-2024-39864) in Apache CloudStack, a popular open-source...
Read More
Critical Security Advisory for Apache CloudStack

Additionally, Mandiant observed a significant change in the group’s tactics in mid-2023, as they began focusing on deploying ransomware, a potentially lucrative endeavor. In some attacks, the hackers used the ALPHV (BlackCat) ransomware. However, Mandiant believes that they may also utilize other types of ransomware and develop new ways to make more money in the future.

Since late 2021, the threat actor has been actively engaging in smishing in order to acquire legitimate employee credentials. They then proceed to contact the targeted organization’s help desk, posing as the employees, in order to obtain multi-factor authentication (MFA) codes or to reset account passwords.

The hacking group has been observed giving different types of verification information that the help desk asked for, such as personally identifiable information (PII), employee ID, and username.

UNC3944 uses phishing pages that appear legitimate. These pages often mimic service desk or single sign-on (SSO) interfaces. This technique makes the phishing attempts more convincing by using information obtained from the victim’s network access.

Since 2021, the group has used at least three phishing kits. These include EightBait, which can deploy AnyDesk to victims’ systems, as well as two phishing kits that were built using a targeted organization’s webpage. These two kits have few code changes between them.

The group not only engaged in smishing and social engineering, but they were also found to be utilizing a credential harvesting tool. They went to great lengths to meticulously search a victim’s internal systems, in order to discover valid login information. Additionally, they employed publicly available tools to harvest credentials from internal GitHub repositories, and took advantage of the open source tool MicroBurst to uncover Azure credentials and secrets.

Mandiant has determined that UNC3944 is utilizing information stealers to gather credentials, which include Ultraknot (also known as Meduza stealer), Vidar, and Atomic.

UNC3944 intrusions are characterized by their innovative, tenacious, and progressively successful attacks on victims’ cloud resources. This straAccording to Mandiant, tegy allows threat actors to gain a initial position for future actions, conduct network and directory reconnaissance, and access sensitive systems and data stores.

Mandiant found that UNC3944 used Microsoft Entra to access restricted resources and create virtual machines for unmonitored access. They also abused Azure Data Factory to steal data and used victims’ cloud environments to host malicious tools and move around.

UNC3944 is a rapidly evolving threat that constantly enhances its skills and tactics to successfully diversify its strategies for monetization. Mandiant notes that it is expected for these threat actors to continuously enhance their skills and utilize underground communities for assistance, in order to make their operations more effective.

Check Also

CISA

CISA Releases Resource Guide for University Cybersecurity Clinics

CISA released a Resource Guide for Cybersecurity Clinics today. This guide explains how CISA can …

Leave a Reply

Your email address will not be published. Required fields are marked *