Thursday , October 10 2024

MGM hacker hit at least 100 organizations

Mandiant, which is owned by Google, reports that the group behind the recent MGM Resorts hack is now targeting more victims and exploring new ways of making money.

This hacking group, known by various names such as UNC3944, 0ktapus, Scatter Swine, and Scattered Spider, has successfully infiltrated over 100 organizations, primarily in the United States and Canada. The group is known for their SMS phishing campaigns (also known as smishing), however, they have been actively developing their expertise and expanding their collection of tools. As a result, they are anticipated to soon start focusing on a wider range of industries.

Palo Alto Networks issues fix for security flaws, Including CVE-2024-9463

Palo Alto Networks released a security advisory (PAN-SA-2024-0010) about several high-severity vulnerabilities in its Expedition migration tool, with CVSS scores...
Read More
Palo Alto Networks issues fix for security flaws, Including CVE-2024-9463

Microsoft October 2024 Patch: 5 Zero-Days, 118 flaw

In its recent Patch Tuesday release, Microsoft fixed 118 vulnerabilities, including five zero-day flaws, two of which are currently being...
Read More
Microsoft October 2024 Patch: 5 Zero-Days, 118 flaw

BD CIRT alert
Lumma C2 malware attack Bangladeshi several websites

The Cyber Threat Intelligence (CTI) Unit at BGD e-GOV CIRT has discovered a malware campaign involving the Lumma Stealer family....
Read More
BD CIRT alert  Lumma C2 malware attack Bangladeshi several websites

Qualcomm Patched Multi Flaws, Including 0-day

Qualcomm's October 2024 Security Bulletin reveals critical vulnerabilities in several chipsets, including the popular Snapdragon mobile platforms and FastConnect solutions....
Read More
Qualcomm Patched Multi Flaws, Including 0-day

BD CIRT announce “Cyber Drill 2024”: Registration open

BGD e-GOV CIRT is excited to announce the Financial Institutions and Critical Information Infrastructure (CII) Cyber Drill 2024, designed for...
Read More
BD CIRT announce “Cyber Drill 2024”: Registration open

First Half Of 2024 Report
Bangladeshi 32.4% government websites face cyber attack: NAS report

National Attack Surface (NAS) report for the first half of 2024 reveals that 56.6% of cyberattacks in Bangladesh targeted educational...
Read More
First Half Of 2024 Report  Bangladeshi 32.4% government websites face cyber attack: NAS report

Prince Ransomware Hits UK and US

A new ransomware campaign is targeting individuals and organizations in the UK and US. The "Prince Ransomware" attack uses a...
Read More
Prince Ransomware Hits UK and US

CISA warns active exploit of Zimbra & Ivanti endpoint manager Vulns

CISA has issued an urgent alert about critical vulnerabilities being exploited in Synacor’s Zimbra Collaboration and Ivanti’s Endpoint Manager (EPM)....
Read More
CISA warns active exploit of Zimbra & Ivanti endpoint manager Vulns

A summary of “2024 State of Cybersecurity survey” by ISACA

ISACA 2024 survey report reveals that 66% of cybersecurity professionals find their jobs more stressful now than five years ago....
Read More
A summary of “2024 State of Cybersecurity survey” by ISACA

ISACA reveals
64% of Australian cybersecurity professionals feel increasing stress

A recent study by ISACA shows that almost two-thirds of cybersecurity professionals report increasing job stress. The 2024 State of...
Read More
ISACA reveals  64% of Australian cybersecurity professionals feel increasing stress

Additionally, Mandiant observed a significant change in the group’s tactics in mid-2023, as they began focusing on deploying ransomware, a potentially lucrative endeavor. In some attacks, the hackers used the ALPHV (BlackCat) ransomware. However, Mandiant believes that they may also utilize other types of ransomware and develop new ways to make more money in the future.

Since late 2021, the threat actor has been actively engaging in smishing in order to acquire legitimate employee credentials. They then proceed to contact the targeted organization’s help desk, posing as the employees, in order to obtain multi-factor authentication (MFA) codes or to reset account passwords.

The hacking group has been observed giving different types of verification information that the help desk asked for, such as personally identifiable information (PII), employee ID, and username.

UNC3944 uses phishing pages that appear legitimate. These pages often mimic service desk or single sign-on (SSO) interfaces. This technique makes the phishing attempts more convincing by using information obtained from the victim’s network access.

Since 2021, the group has used at least three phishing kits. These include EightBait, which can deploy AnyDesk to victims’ systems, as well as two phishing kits that were built using a targeted organization’s webpage. These two kits have few code changes between them.

The group not only engaged in smishing and social engineering, but they were also found to be utilizing a credential harvesting tool. They went to great lengths to meticulously search a victim’s internal systems, in order to discover valid login information. Additionally, they employed publicly available tools to harvest credentials from internal GitHub repositories, and took advantage of the open source tool MicroBurst to uncover Azure credentials and secrets.

Mandiant has determined that UNC3944 is utilizing information stealers to gather credentials, which include Ultraknot (also known as Meduza stealer), Vidar, and Atomic.

UNC3944 intrusions are characterized by their innovative, tenacious, and progressively successful attacks on victims’ cloud resources. This straAccording to Mandiant, tegy allows threat actors to gain a initial position for future actions, conduct network and directory reconnaissance, and access sensitive systems and data stores.

Mandiant found that UNC3944 used Microsoft Entra to access restricted resources and create virtual machines for unmonitored access. They also abused Azure Data Factory to steal data and used victims’ cloud environments to host malicious tools and move around.

UNC3944 is a rapidly evolving threat that constantly enhances its skills and tactics to successfully diversify its strategies for monetization. Mandiant notes that it is expected for these threat actors to continuously enhance their skills and utilize underground communities for assistance, in order to make their operations more effective.

Check Also

CISA

CISA unveils 25 new advisories for Industrial Control Systems

CISA issued 25 ICS advisories on September 12, 2024, detailing current security issues, vulnerabilities, and …

Leave a Reply

Your email address will not be published. Required fields are marked *