UNC3944 Is Now Deploying Ransomware Variants

Financially Motivated Hackers Are Diversifying Operations
UNC3944 Is Now Deploying Ransomware Variants
Image: Shutterstock

A financially motivated criminal syndicate that mainly operates in Telegram and underground forums has expanded its criminal arsenal to deploy ransomware and other intrusion capabilities on various cloud applications, warn Mandiant researchers.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Tracked as UNC3944 and also known as 0ktapus and Scattered Spider, the criminal group began operations in 2021 by offering mobile social engineering kits for credential theft, Mandiant said.

In recent months, the group has diversified its operations to offer wide-ranging intrusion capabilities. This includes previously unseen phishing tactics to gain initial access, advanced persistence capabilities for privilege escalation in cloud environments, and deployment of info stealers and ransomware.

In the case of the group's ransomware campaign, UNC3944 deploys an Alphv variant and tends to target victims running on critical virtual machines to maximize the scale of its operation. The group is also suspected to be behind the MGM Resorts International hack that has caused ongoing service disruption at various branches of the casino operator (see: Caesars Entertainment Reportedly Pays Ransom to Attackers).

"UNC3944 is an evolving threat that has continued to broaden its skills and tactics in order to successfully diversify its monetization strategies," the Mandiant researchers said. The threat group is likely to improve its offerings over time and will likely liaise with more underground hackers to increase the efficiency of its operations.

Among the latest phishing kits deployed by the group is a tool that researchers have dubbed EightBait. It uses the remote desktop application AnyDesk to capture and send credentials to a hacker-controlled Telegram channel. Another phishing kit used by the hackers scrapes login pages of victim organizations to dupe employees of the firms into inputting their login details, the report says.

In addition to phishing tactics, the group also targets password vault software vendors such as HashiCorp to steal credentials.

One of the tactics attackers use to target cloud infrastructure is federated IDs that allow a single sign-on to multiple applications to identify a victim's customers from Microsoft cloud environments. The attackers conduct security assertion markup language attacks using forged SAML certificates to bypass authentication.

Cyber defenders have also observed the group using Azure Data Factory, a data integration service, to steal data stored in various integrated platforms such as data warehouses, storage blobs and SQL databases.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.