Cyber Group UNC3944 Targets SaaS Platforms like Azure, Salesforce, vSphere, AWS, and Google Cloud
UNC3944, also known as “0ktapus” and “Scattered Spider,” has shifted its focus to attacking Software-as-a-Service (SaaS) applications, as reported by Google Cloud’s Mandiant threat intelligence team. This hacking group, previously linked to incidents involving companies such as Snowflake and MGM Entertainment, has evolved its strategies to concentrate on data theft and extortion. Cyber Group Targets SaaS Platforms
Thank you for reading this post, don't forget to subscribe!Attack Techniques
UNC3944 exploits legitimate third-party tools for remote access and leverages Okta permissions to expand their intrusion capabilities. One notable aspect of their attacks involves creating new virtual machines in VMware vSphere and Microsoft Azure, using administrative permissions linked through SSO applications for further activities.
The group uses commonly available utilities to reconfigure virtual machines (VMs), disable security protocols, and download tools such as Mimikatz and ADRecon, which extract and combine various artifacts from Active Directory (AD) and Microsoft Entra ID environments.
Evolving Methods
Initially, UNC3944 employed a variety of techniques, but over time, their methods have expanded to include ransomware and data theft extortion. Active since at least May 2022, the group has developed resilience mechanisms against virtualization platforms and improved their ability to move laterally by abusing SaaS permissions.
The group also uses SMS phishing to reset passwords and bypass multi-factor authentication (MFA). Once inside, they conduct thorough reconnaissance of Microsoft applications like SharePoint to understand remote connection needs.
According to Google Cloud’s Mandiant team, UNC3944’s primary activity is now data theft without using ransomware. They employ expert social engineering tactics, using detailed personal information to bypass identity checks and target employees with high-level access.
Social Engineering and Threats
Attackers often pose as employees, contacting help desks to request MFA resets for setting up new phones. If help desk staff comply, attackers can easily bypass MFA and reset passwords. If social engineering fails, UNC3944 resorts to threats, including doxxing, physical threats, or releasing compromising material to coerce credentials from victims. Once access is gained, they gather information on tools like VPNs, virtual desktops, and remote work utilities to maintain consistent access.
Targeting SaaS and Cloud Platforms
UNC3944 targets Okta’s single sign-on (SSO) tools, allowing them to create accounts that facilitate access to multiple systems. Their attacks extend to VMware’s vSphere hybrid cloud management tool and Microsoft Azure, where they create virtual machines for malicious purposes. By operating within a trusted IP address range, they complicate detection.
Additional targets include SaaS applications like VMware’s vCenter, CyberArk, Salesforce, CrowdStrike, Amazon Web Services (AWS), and Google Cloud. Office 365 is another focus, with attackers using Microsoft’s Delve tool to identify valuable information. To exfiltrate data, they use synchronization utilities such as Airbyte and Fivetran to transfer information to their own cloud storage.
The group also targets Active Directory Federation Services (ADFS) to extract certificates and employ Golden SAML attacks for continued access to cloud applications. They leverage Microsoft 365 capabilities like Office Delve for quick reconnaissance and data mining.
Recommendations – Cyber Group Targets SaaS Platforms
Mandiant advises deploying host-based certificates with MFA for VPN access, implementing stricter conditional access policies, and enhancing monitoring for SaaS applications. Consolidating logs from crucial SaaS applications and monitoring virtual machine setups can help identify potential breaches.