MGM Pirates Expand Their Targets and Monetization Strategies

esteria.white

Google-owned Mandiant claims financially motivated threat actor is responsible for recent MGM Resorts Hack has expanded its targets, as well as its monetization strategies.

Tracked as UNC3944 and also called 0ktapus, Scatter Swine and Scattered Spider, the hacking group targeted at least 100 organizations, mainly in the United States and Canada. The group typically engages in SMS phishing (smishing) campaigns, but has expanded its skills and arsenal of tools and is expected to begin targeting more sectors.

Mandiant also noted that the group has shifted its focus to deploying ransomware in mid-2023, which can prove very profitable. In some attacks, they were seen using ALPHV (BlackCat) ransomware, but Mandiant believes they could also be using other ransomware and could “integrate additional monetization strategies to maximize their profits at the future “.

The threat actor has been active since late 2021, typically using smishing to obtain valid employee credentials and contacting the victim organization’s help desk to obtain multi-factor authentication (MFA) codes or reset passwords. account passwords, impersonating targeted employees.

During these calls, the hacking group was observed providing various types of verification information requested by the help desk, including personally identifiable information (PII), employee ID, and employee name. ‘user.

UNC3944 uses legitimate-looking phishing pages that frequently call on service desk or single sign-on (SSO) lures, likely exploiting information collected using an organization’s existing network access. victim to make the phishing more credible.

Since 2021, the group has used at least three phishing kits, including EightBait (which can deploy AnyDesk on victims’ systems) and two phishing kits created from a targeted organization’s webpage, with little change in code between them.

Advertisement. Scroll to continue reading.

In addition to smishing and social engineering, the group was also observed using a credential harvesting tool, thoroughly searching a victim’s internal systems to identify valid login credentials , using publicly available tools to collect credentials from internal GitHub repositories, as well as the open source tool MicroBurst. to identify Azure credentials and secrets.

According to Mandiant, UNC3944 also appears to use information stealers to harvest credentials, including Ultraknot (also known as the Meduza stealer), Vidar, and Atomic.

“A common feature of UNC3944 intrusions is their creative, persistent, and increasingly effective targeting of victims’ cloud resources. This strategy allows threat actors to gain a foothold for their subsequent operations, perform network and directory reconnaissance, and gain access to numerous systems and sensitive data stores,” Mandiant explains.

Mandiant also observed that UNC3944 abuses Microsoft Entra environments to access restricted resources, creates virtual machines for unmonitored access, abuses Azure Data Factory to steal data, and exploits access to victims’ cloud environments to host malicious tools and move laterally.

“UNC3944 is an evolving threat that has continued to expand its skills and tactics to successfully diversify its monetization strategies. We expect that these threat actors will continue to improve their know-how over time and may leverage clandestine communities for support to increase the effectiveness of their operations,” notes Mandiant.

Related: Ransomware gang takes credit for disruptive MGM hotels cyberattack

Related: Cybercrime group exploits vulnerability in old Windows driver to bypass security products

Related: Mandiant 2023 M-Trends Report Provides Fact-Based Analysis of Emerging Threat Trends

Leave a comment