Notorious cyber gang UNC3944 attacks vSphere and Azure to run VMs inside victims' infrastructure
(2024/06/17)
- Reference: 1718606054
- News link: https://www.theregister.co.uk/2024/06/17/unc3944_scattered_spider_tactics_change/
- Source link:
Notorious cyber gang UNC3944 – the crew suspected of involvement in the recent attacks on Snowflake and MGM Entertainment, and plenty more besides – has changed its tactics and is now targeting SaaS applications
According to Google Cloud's Mandiant threat intelligence team, UNC3944's activities have plenty of overlap with attack group variously known as "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider." The group initially used credential harvesting and SIM swapping attacks in its operations, moved on to ransomware and data theft extortion, but has now shifted to "primarily data theft extortion, without the use of ransomware."
Mandiant claimed it's heard recordings of UNC3944's calls to corporate help desks, during which it attempts social engineering attacks.
[1]
"The threat actors spoke with clear English and targeted accounts with high privilege potential,” Mandiant's researchers [2]wrote last week. In some cases, callers already possessed victims' personally identifiable information – allowing the attackers to bypass identity verification checks.
[3]
[4]
UNC3944's crooked callers would often claim they were receiving a new phone, which necessitated a multi-factor authentication (MFA) reset.
If help desk staff allowed that reset, the attackers would reset passwords and bypass MFA requirements.
[5]
If social engineering doesn’t work, the gang may just threaten its targets.
"UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials," Mandiant wrote. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material."
However the crooks entered an org's infrastructure, they would quickly go looking for info on tools like VPNs, virtual desktops, and remote telework utilities that would give persistent access. Access to Okta was another target – being able to mess with that vendor's single sign-on tools (SSO) gave attackers the ability to create accounts they could use to log into other systems.
[6]
VMware's vSphere hybrid cloud management tool was one target of attacks made after compromising SSO tools. Microsoft's Azure was another. Both were targeted so that UC3944 operatives could create virtual machines within an org and use them for their evil activities. Doing so makes sense because an org's own resources will mostly use IP addresses within a range designated as safe.
[7]Pure Storage pwned, claims data plundered by crims who broke into Snowflake workspace
[8]Casino cyberattacks put a bullseye on Scattered Spider – and the FBI is closing in
[9]UnitedHealth CEO: 'Decision to pay ransom was mine'
[10]Miscreants are exploiting enterprise tech zero days more and more, Google warns
SaaS is another new frontier for UNC3944.
Mandiant observed the group targeting VMware's vCenter management tool, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and Google Cloud Platform.
Office 365 was another target, helped by a Microsoft tool called Delve that the software giant [11]promotes as helping users "to discover and organize the information that's likely to be most interesting to you right now – across Microsoft 365."
Surprise – it also helps attackers understand what info you value most, and then target that during their raids.
To steal the data, UNC3944 uses synchronization utilities such as Airbyte and Fivetran that shunt info into cloud storage resources they controlled.
Mandiant advised that "Multiple detection opportunities exist to assist with a speedier identification of possible compromise" and recommended "heightened monitoring of SaaS applications, to include centralizing logs from important SaaS-based applications, MFA re-registrations, and virtual machine infrastructure, specifically about both uptime and the creation of new devices."
"SaaS applications pose an interesting dilemma for organizations, as there is a gray area of where and who should conduct monitoring to identify issues," the infosec researchers added. "For the applications where proprietary or guarded information exists, Mandiant recommends that an organization ensures they have a robust logging capability that their security teams can review for signs of malicious intent." ®
Get our [12]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZnAJSzbXGr3de7rHvMHmHgAAAQo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnAJSzbXGr3de7rHvMHmHgAAAQo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnAJSzbXGr3de7rHvMHmHgAAAQo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnAJSzbXGr3de7rHvMHmHgAAAQo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnAJSzbXGr3de7rHvMHmHgAAAQo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/06/11/pure_storage_snowflake_breach/
[8] https://www.theregister.com/2024/05/23/mandiant_cto_scattered_spider/
[9] https://www.theregister.com/2024/04/30/unitedhealth_ceo_ransom/
[10] https://www.theregister.com/2024/03/27/surge_in_enterprise_zero_days/
[11] https://support.microsoft.com/en-au/office/what-is-delve-1315665a-c6af-4409-a28d-49f8916878ca
[12] https://whitepapers.theregister.com/
According to Google Cloud's Mandiant threat intelligence team, UNC3944's activities have plenty of overlap with attack group variously known as "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider." The group initially used credential harvesting and SIM swapping attacks in its operations, moved on to ransomware and data theft extortion, but has now shifted to "primarily data theft extortion, without the use of ransomware."
Mandiant claimed it's heard recordings of UNC3944's calls to corporate help desks, during which it attempts social engineering attacks.
[1]
"The threat actors spoke with clear English and targeted accounts with high privilege potential,” Mandiant's researchers [2]wrote last week. In some cases, callers already possessed victims' personally identifiable information – allowing the attackers to bypass identity verification checks.
[3]
[4]
UNC3944's crooked callers would often claim they were receiving a new phone, which necessitated a multi-factor authentication (MFA) reset.
If help desk staff allowed that reset, the attackers would reset passwords and bypass MFA requirements.
[5]
If social engineering doesn’t work, the gang may just threaten its targets.
"UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials," Mandiant wrote. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material."
However the crooks entered an org's infrastructure, they would quickly go looking for info on tools like VPNs, virtual desktops, and remote telework utilities that would give persistent access. Access to Okta was another target – being able to mess with that vendor's single sign-on tools (SSO) gave attackers the ability to create accounts they could use to log into other systems.
[6]
VMware's vSphere hybrid cloud management tool was one target of attacks made after compromising SSO tools. Microsoft's Azure was another. Both were targeted so that UC3944 operatives could create virtual machines within an org and use them for their evil activities. Doing so makes sense because an org's own resources will mostly use IP addresses within a range designated as safe.
[7]Pure Storage pwned, claims data plundered by crims who broke into Snowflake workspace
[8]Casino cyberattacks put a bullseye on Scattered Spider – and the FBI is closing in
[9]UnitedHealth CEO: 'Decision to pay ransom was mine'
[10]Miscreants are exploiting enterprise tech zero days more and more, Google warns
SaaS is another new frontier for UNC3944.
Mandiant observed the group targeting VMware's vCenter management tool, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and Google Cloud Platform.
Office 365 was another target, helped by a Microsoft tool called Delve that the software giant [11]promotes as helping users "to discover and organize the information that's likely to be most interesting to you right now – across Microsoft 365."
Surprise – it also helps attackers understand what info you value most, and then target that during their raids.
To steal the data, UNC3944 uses synchronization utilities such as Airbyte and Fivetran that shunt info into cloud storage resources they controlled.
Mandiant advised that "Multiple detection opportunities exist to assist with a speedier identification of possible compromise" and recommended "heightened monitoring of SaaS applications, to include centralizing logs from important SaaS-based applications, MFA re-registrations, and virtual machine infrastructure, specifically about both uptime and the creation of new devices."
"SaaS applications pose an interesting dilemma for organizations, as there is a gray area of where and who should conduct monitoring to identify issues," the infosec researchers added. "For the applications where proprietary or guarded information exists, Mandiant recommends that an organization ensures they have a robust logging capability that their security teams can review for signs of malicious intent." ®
Get our [12]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZnAJSzbXGr3de7rHvMHmHgAAAQo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnAJSzbXGr3de7rHvMHmHgAAAQo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnAJSzbXGr3de7rHvMHmHgAAAQo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnAJSzbXGr3de7rHvMHmHgAAAQo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnAJSzbXGr3de7rHvMHmHgAAAQo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/06/11/pure_storage_snowflake_breach/
[8] https://www.theregister.com/2024/05/23/mandiant_cto_scattered_spider/
[9] https://www.theregister.com/2024/04/30/unitedhealth_ceo_ransom/
[10] https://www.theregister.com/2024/03/27/surge_in_enterprise_zero_days/
[11] https://support.microsoft.com/en-au/office/what-is-delve-1315665a-c6af-4409-a28d-49f8916878ca
[12] https://whitepapers.theregister.com/
Re: Two fundamental failures
Pascal Monett
I cannot upvote you enough.
And yes, OTK tokens are the right answer for all authentication issues. Funny how rarely that is implemented (for a very low value of funny, that is).
Two fundamental failures
[1] " In some cases, callers already possessed victims' personally identifiable information – allowing the attackers to bypass identity verification checks. "
"Identity verification" should include additional out of band challenge/response information that only the helpdesk and the legitimate party have access to (e.g. to ask when the caller signed up to the service).
[2] " UNC3944's crooked callers would often claim they were receiving a new phone, which necessitated a multi-factor authentication (MFA) reset. "
No phoned in request for a credentials reset should ever be provided without an additional out of band verification step (e.g. a call back to the user's register phone number with a verification code).
Obviously neither of these is 100% assured as they could be circumvented in principle, but together they come pretty close in the majority of cases.
The big snag here (which is commonplace unfortunately) is that we're still using decades-old (and in some cases, faulty) criteria for identification and authentication, despite the threats having escalated hugely since then. Many people (and organisations) still confuse identifiers and authenticators -- hence a common assumption that biometrics are authenticators, and password creation rules remain as flawed as ever. Most signifcantly though, there's clearly a serious lack of understanding of the basic principles of identity verification which needs to be addressed by much better training. That's obviously a long-term fix, but in the short term there's absolutely no reason why out of band one-time key generation should not be universally adopted as one of the Ms in MFA -- dongles supporting this have been around for decades.