UNC3944 Targets SaaS Applications

<

div class=”block-paragraph_advanced”>

Introduction

UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of “0ktapus,” “Octo Tempest,” “Scatter Swine,” and “Scattered Spider,” and has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse. Active since at least May 2022, UNC3944 has leveraged underground communities like Telegram to acquire tools, services, and support to enhance their operations.

Initially, UNC3944 focused on credential harvesting and SIM swapping attacks in their operations, eventually migrating to ransomware and data theft extortion. However, recently, UNC3944 has shifted to primarily data theft extortion without the use of ransomware. This change in objectives has precipitated an expansion of targeted industries and organizations as evidenced by Mandiant investigations.

Evidence also suggests UNC3944 h

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Threat Intelligence

Read the original article: