Hacker Gang Changes Tactics

UNC3944, the hacker gang that successfully attacked Snowflake and MGM Entertainment, has evolved. The Register, relying on information from Google Cloud’s Mandiant threat intelligence team, reports that UNC3944 has now shifted to “primarily data theft extortion, without the use of ransomware.”

Mandiant says it has heard recordings of the hacker gang making calls to corporate help desks, which are actually attempted social engineering attacks. The hackers spoke fluent English and had selected their targets for high privilege potential.

The group targeted VMware’s vCenter management tool, CyberArk, SalesForce, Azure, CrowdStrike, AWS, Google Cloud Platform, and Office 365, the latter through the use of a Microsoft tool called Delve.

Microsoft says Delve helps users “discover and organize the information that’s likely to be most interesting to you right now – across Microsoft 365.” The Register notes that it also helps attackers understand what data users value most, and target it.

To steal the data, the gang uses synchronization utilities that move information into its cloud storage resources. According to Mandiant, there are plenty of ways to speedily identify a possible compromise. To start, they recommend monitoring software-as-a-service applications (SaaS).

Mandiant says SaaS applications constitute a conundrum for organizations because a gray area exists concerning who should do the monitoring to identify issues, and where it should be done. Their recommendation is to make sure you have a robust logging capability that their security teams can review for signs of malicious intent.