Cyber gang UNC3944, which according to cybersecurity firm Mandiant can be linked to recent attacks on Snowflake environments, is increasingly using social engineering tactics to gain access to SaaS applications. It is also increasingly abusing virtual machines (VMs) within victims’ SaaS and cloud infrastructure.
The ‘threat intelligence team’ at Google Cloud subsidiary Mandiant reported in a blog post that this group, also known as “0ktapus,” “Octo Tempest,” “Scatter Swine” and “Scattered Spider,” is no longer using ransomware for extortion attempts as frequently. Instead, the criminals are increasingly simply picking up the phone to call to company help desks. The attackers pose as legitimate users, speak fluent English and often have access to victims’ personal information. That enables them to bypass identity checks.
In such cases, members of the gang claim that they need a reset for their multi-factor authentication (MFA), using the pretext that they have received a new phone, for example. When help desk employees comply, the attackers use this information to reset passwords and bypass MFA protections.
Scare and threaten
If employees don’t buy into this, the hackers try to scare their intended victims. They threaten to doxx their victims (spread personal information online) or leak compromising material. They don’t even shy away from physical threats, promising to harm victims or family members.
Once they succeed in penetrating an organization’s digital infrastructure, the attackers seek information on tools such as VPNs, virtual desktops, and remote working utilities to ensure long-term access. Their priority seems to be gaining access to Okta’s Single Sign-On (SSO) tools, as they can use these to create accounts and infiltrate other systems.
Okta permissions abused
According to Mandiant, UNC3944 misused Okta permissions by self-assigning compromised accounts to applications in an Okta instance. This allowed the criminals to access cloud and SaaS applications via the initial on-premises intrusion, a so-called privilege escalation. The tool also allows observing available application tiles in the Okta web portal, giving an impression of a company’s tools.
UNC3944 also targets VMware’s vSphere hybrid cloud management tool and Microsoft’s Azure. After compromising the necessary SSO tools, the gang creates VMs within the victim’s environment. These operate using IP addresses that are supposed to be secure within the organization, making it more difficult to detect malicious activity.
Real-time detection is difficult
Mandiant argues that traditional on-prem security methods such as firewalls and network flow sensors are ineffective at detecting large data migrations from SaaS platforms because of their network configuration. Real-time data theft detection is difficult, although retrospective SaaS and cloud logs analysis can reveal such incidents.
Additionally, the criminals target other SaaS platforms and tools, such as vCenter (also from VMware), CyberArk, Salesforce, CrowdStrike, AWS, Google Cloud Platform and Office 365. The group uses Microsoft’s Delve tool to identify information they deem valuable. Delve allows legitimate employees of an organization to quickly see what documents in an Office 365 environment they can access; it also aggregates emails and chat conversations, among other things. That makes it possible to form a picture of the interrelationships within an organization.
Cloud services as criminal repositories
This is gold for malicious actors, who then synchronize the captured information with utilities like Airbyte and Fivetran to transfer it to cloud storage under their control. That cloud storage may be in S3 (simple storage service) buckets in Amazon Web Services, for example. Google Cloud Platform is also being used as a repository for stolen data.
Mandiant said the group is getting better at covering its tracks by encrypting self-created VMs or destroying data. Although Mandiant has not observed ransomware attempts from UNC3944 since early 2024, the cybersecurity firm says they are still capable of doing so.
Not surprisingly, Mandiant advises that organizations guard against these brutal tactics by beefing up the security of their SaaS applications and centralizing logs of key SaaS platforms, MFA re-registrations and VM infrastructure to quickly detect potential attackers. The company recommends robust logging in general, to identify signs of malicious activity at least after the fact, especially in applications that contain proprietary or sensitive information.
Also read: Mandiant reports at least 165 Snowflake customers affected in hacking campaign