June 18, 2024 at 09:08AM
The recent attacks on customer accounts hosted on the Snowflake data warehousing platform may indicate a shift towards targeting SaaS application environments by threat actors. A threat group, UNC3944, has broadened its focus to enterprise SaaS applications and uses tactics like ransomware attacks, credential phishing, social engineering, and creating new virtual machines for persistence. Mandiant recommends heightened monitoring and security measures for SaaS applications.
After analyzing the meeting notes, the key takeaways are:
1. There is a growing trend towards threat actors targeting software-as-a-service (SaaS) environments, as evidenced by the recent attacks on customer accounts hosted on the Snowflake data warehousing platform.
2. UNC3944, a dangerous threat actor, has expanded its focus to targeting enterprise data in SaaS applications, utilizing sophisticated tactics such as ransomware attacks, SIM-swapping, credential phishing, and social engineering.
3. UNC3944 has been observed gaining unauthorized access to various SaaS applications protected by single sign-on providers such as Okta, including vCenter, CyberArk, Salesforce, Azure, CrowdStrike, AWS, and Google Cloud Platform.
4. The threat actor has utilized reconnaissance methods such as Microsoft’s Delve to search for data in Microsoft 365 environments and has transferred stolen data to cloud storage resources like Amazon S3 buckets, using cloud synchronization utilities.
5. UNC3944’s use of phishing and social engineering, including clear English voice calls to help desk staff, has been highlighted as one of its primary methods to acquire credentials for accessing enterprise SaaS accounts.
6. The threat actor has demonstrated sophistication in social engineering attacks and has been successful in creating new virtual machines in victim environments as an effective persistence mechanism.
7. Mandiant’s recommendations for organizations include implementing host-based certificates and multi-factor authentication (MFA) for VPN access, as well as creating strict conditional access policies to limit visibility inside a cloud tenant.
Overall, the meeting notes emphasize the need for organizations to heighten monitoring of SaaS applications, centralize logs from important SaaS-based applications, and implement enhanced security measures to protect against threats like UNC3944.