The recent wave of cyberattacks targeting customer accounts on the Snowflake data warehousing platform has raised concerns about a potential shift in tactics among threat actors towards focusing on Software as a Service (SaaS) applications.
A recent Mandiant report shed light on UNC3944, a threat actor known for its activities in Microsoft cloud environments and on-premises infrastructure, now expanding its scope to target enterprise data in SaaS applications. UNC3944, also known as Scattered Spider, Scatter Swine, Octo Tempest, and 0ktapus, has been involved in high-profile ransomware attacks against companies like MGM Resorts and Caesars Entertainment, with the latter reportedly paying millions to regain access to its data.
The threat actor employs sophisticated tactics, including SIM-swapping and credential phishing, and has been categorized by Microsoft as one of the most dangerous financially motivated cyber threat groups currently active. In the past 10 months, UNC3944 has shifted its focus to targeting data in enterprise SaaS applications, such as vCenter, CyberArk, Salesforce, Azure, CrowdStrike, AWS, and Google Cloud Platform, often using stolen credentials to gain unauthorized access.
Once inside these environments, UNC3944 conducts reconnaissance activities using methods like Microsoft’s Delve to search for valuable data in Microsoft 365 environments. The stolen data is then transferred to cloud storage resources like Amazon S3 buckets using various cloud synchronization utilities.
Phishing and social engineering are key components of UNC3944’s strategy to acquire credentials for accessing enterprise SaaS accounts. The threat actor has been observed making voice calls to help desk staff, demonstrating a high level of sophistication by possessing detailed personal information about the victims.
One of UNC3944’s effective persistence mechanisms involves creating new virtual machines in victim environments using single sign-on (SSO) apps to access VMware vSphere and Microsoft Azure cloud environments. These virtual machines are reconfigured to remove default protections and telemetry, allowing UNC3944 to download tools for credential extraction and tunneling.
Mandiant recommends organizations to implement host-based certificates, multifactor authentication (MFA) for VPN access, and strict conditional access policies to enhance security against such threats. Heightened monitoring of SaaS applications, centralizing logs, and tracking virtual machine infrastructure are also suggested to mitigate risks associated with UNC3944’s tactics.
As the threat landscape continues to evolve, organizations must remain vigilant and proactive in safeguarding their data and systems against sophisticated cyber adversaries like UNC3944 operating in the SaaS environment.