June 17, 2024 at 02:42AM
The notorious cyber gang UNC3944, implicated in recent attacks on Snowflake and MGM Entertainment, is now targeting SaaS applications. They have shifted to primarily focusing on data theft extortion without using ransomware and employ social engineering tactics to compromise high-privilege accounts. UNC3944 has expanded its targets to include various SaaS applications like VMware, CyberArk, SalesForce, and Office 365. Mandiant recommends heightened monitoring and centralized log collection for SaaS applications to detect potential compromises quickly.
The meeting notes reveal that the cyber gang UNC3944 has shifted its tactics and is now targeting SaaS applications, following activities that involved attacks on organizations such as Snowflake and MGM Entertainment. The group’s activities have overlapped with other attack groups, and they have utilized various methods such as credential harvesting, SIM swapping, ransomware, and data theft extortion. They have also engaged in social engineering attacks by posing as corporate help desk callers, often exploiting multi-factor authentication (MFA) resets and resorting to fearmongering tactics to gain access to victim credentials. Infiltrating an organization’s infrastructure, they target tools like VPNs, virtual desktops, and remote telework utilities, as well as specific SaaS applications including VMware’s vCenter management tool, CyberArk, SalesForce, Azure, CrowdStrike, AWS, Google Cloud Platform, and Office 365. They employ synchronization utilities and cloud storage resources to steal data, and Mandiant recommends heightened monitoring of SaaS applications to identify potential compromise and malicious intent.