Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,522
- Points
- 113
The key to success is careful preparation. The key to a corporate system is an inattentive support service.
Cybercrime group UNC3944, also known as "0ktapus", "Scatter Swine" and "Scattered Spider", is changing its tactics . If earlier it focused on stealing credentials, now it is engaged in extortion and encrypts victims ' data using malicious encryption programs.
Motivated by financial gain, the group continues to use SMS phishing (smishing) and social engineering to gain access to corporate systems. Employees are written on behalf of the organization and encouraged to take certain actions.
Mandiant experts emphasize that hackers from UNC3944 have a good understanding of the principles of doing business in the West. The target organization is scrutinized to create a fake turnkey web page that is as plausible and convincing as possible. To reproduce the interface details and names of real services, they analyze already stolen information from internal resources. UNC3944 often registers domain names similar to the original, adding elements like "-sso" or "-servicedesk".
After getting their credentials, hackers call technical support on behalf of an employee to get a multi-factor authentication code or reset their password. Mandiant experts have identified at least three phishing programs involved in the campaigns.
One of the earliest tools for criminals was a set called EIGHTBAIT. It was used in various campaigns from late 2021 to mid-2022. EIGHTBAIT was designed to send stolen information to the attackers Telegram channel. In addition, he could install the remote access utility AnyDesk on the victim's computer.
Experts note that now UNC3944 often uses legitimate programs in combination with malware available on shadow forums. For example, public utilities like Trinity and CredDump, as well as infostealers like ULTRAKNOT, were used to steal usernames and passwords. VIDAR and ATOMIC miners were used to capture the data.
Hackers are also helped by cloud services used by the victim companies. To upload data, they turn to services like Azure Data Factory.
When attackers gain access to the system, they spend a lot of time studying internal documentation, chats, and other resources to find opportunities for privilege escalation. They often target password and access management systems.
"Individual handwriting" UNC3944 — a high rate of operations and attacks on the most critical systems for business, so that the damage is as noticeable as possible.
To protect against UNC3944, experts recommend using multi-factor authentication without SMS, limiting external access to cloud services, tightening password reset procedures, and raising staff awareness of phishing attack mechanisms.
Cybercrime group UNC3944, also known as "0ktapus", "Scatter Swine" and "Scattered Spider", is changing its tactics . If earlier it focused on stealing credentials, now it is engaged in extortion and encrypts victims ' data using malicious encryption programs.
Motivated by financial gain, the group continues to use SMS phishing (smishing) and social engineering to gain access to corporate systems. Employees are written on behalf of the organization and encouraged to take certain actions.
Mandiant experts emphasize that hackers from UNC3944 have a good understanding of the principles of doing business in the West. The target organization is scrutinized to create a fake turnkey web page that is as plausible and convincing as possible. To reproduce the interface details and names of real services, they analyze already stolen information from internal resources. UNC3944 often registers domain names similar to the original, adding elements like "-sso" or "-servicedesk".
After getting their credentials, hackers call technical support on behalf of an employee to get a multi-factor authentication code or reset their password. Mandiant experts have identified at least three phishing programs involved in the campaigns.
One of the earliest tools for criminals was a set called EIGHTBAIT. It was used in various campaigns from late 2021 to mid-2022. EIGHTBAIT was designed to send stolen information to the attackers Telegram channel. In addition, he could install the remote access utility AnyDesk on the victim's computer.
Experts note that now UNC3944 often uses legitimate programs in combination with malware available on shadow forums. For example, public utilities like Trinity and CredDump, as well as infostealers like ULTRAKNOT, were used to steal usernames and passwords. VIDAR and ATOMIC miners were used to capture the data.
Hackers are also helped by cloud services used by the victim companies. To upload data, they turn to services like Azure Data Factory.
When attackers gain access to the system, they spend a lot of time studying internal documentation, chats, and other resources to find opportunities for privilege escalation. They often target password and access management systems.
"Individual handwriting" UNC3944 — a high rate of operations and attacks on the most critical systems for business, so that the damage is as noticeable as possible.
To protect against UNC3944, experts recommend using multi-factor authentication without SMS, limiting external access to cloud services, tightening password reset procedures, and raising staff awareness of phishing attack mechanisms.
