Google-owned Mandiant says the financially motivated threat actor responsible for the recent MGM Resorts hack has been expanding its targets, as well as its monetization strategies.
Tracked as UNC3944 and also referred to as 0ktapus, Scatter Swine, and Scattered Spider, the hacking group has targeted at least 100 organizations, mostly in the United States and Canada. The group typically engages in SMS phishing campaigns (smishing), but has been broadening its skills and arsenal of tools and is expected to start targeting more industries.
Mandiant also noticed that the group shifted to ransomware deployment in mid-2023, which can be highly profitable. In some attacks, they were seen using the ALPHV (BlackCat) ransomware, but Mandiant believes they could use other ransomware as well, and they may “incorporate additional monetization strategies to maximize their profits in the future.”
The threat actor has been active since late 2021, typically employing smishing to obtain valid employee credentials and contacting the victim organization’s help desk to obtain multi factor authentication (MFA) codes or reset account passwords, by impersonating the targeted employees.
During such calls, the hacking group has been observed providing various types of verification information that the help desk requested, including personally identifiable information (PII), employee ID, and username.
UNC3944 uses legitimate-looking phishing pages that frequently use service desk or single sign on (SSO) lures, likely leveraging information harvested using existing access to a victim’s network to make the phishing more credible.
Since 2021, the group has used at least three phishing kits, including EightBait (which can deploy AnyDesk to victims’ systems) and two phishing kits built using a targeted organization’s webpage, with few code changes between them.
In addition to smishing and social engineering, the group was also observed using a credential harvesting tool, thoroughly searching through a victim’s internal systems to identify valid login information, using publicly available tools to harvest credentials from internal GitHub repositories, and the open source tool MicroBurst to identify Azure credentials and secrets.
According to Mandiant, UNC3944 also appears to be using information stealers to harvest credentials, including Ultraknot (also known as Meduza stealer), Vidar, and Atomic.
“A common hallmark of UNC3944 intrusions has been their creative, persistent, and increasingly effective targeting of victims’ cloud resources. This strategy allows the threat actors to establish a foothold for their later operations, perform network and directory reconnaissance, and to access many sensitive systems and data stores,” Mandiant says.
Mandiant also observed UNC3944 abusing Microsoft Entra environments to access restricted resources, creating virtual machines for unmonitored access, abusing Azure Data Factory to steal data, and leveraging access to victims’ cloud environments to host malicious tools and move laterally.
“UNC3944 is an evolving threat that has continued to broaden its skills and tactics in order to successfully diversify its monetization strategies. We expect that these threat actors will continue to improve their tradecraft over time and may leverage underground communities for support to increase the efficacy of their operations,” Mandiant notes.