Threat Research

UNC3944 Targets SaaS Applications

GoogleCloudIntel

UNC3944 is a financially motivated threat group that has evolved from credential harvesting and SIM swapping to ransomware and now primarily data theft extortion from SaaS and cloud environments. The group uses social engineering against help desks, Okta/SaaS permissions abuse, VM-based persistence, and cloud-data exfiltration to attacker-owned storage, with recent focus on SaaS targets and cloud sync tools; they even leverage fearmongering to obtain credentials. #UNC3944 #0ktapus #OctoTempest #ScatterSwine #ScatteredSpider #Airbyte #Fivetran #Okta #CrowdStrike #GoldenSAML

Keypoints

  • UNC3944 has shifted from early credential harvesting and SIM swapping to data theft extortion primarily targeting SaaS and cloud storage, expanding industries and victims.
  • Social engineering against corporate help desks and SMS phishing enable initial access to privileged accounts, often bypassing MFA.
  • Internal reconnaissance on Microsoft apps (e.g., SharePoint) and VPN/VDI docs, leveraging legitimate remote-access tooling.
  • Okta permissions abuse allows self-assignment of apps, broadening intrusion scope into cloud and SaaS environments.
  • Virtual machine compromise for persistence includes creating new VMs via vSphere/Azure, disabling Defender, and employing tools like Mimikatz, NGROK, and PCUnlocker.
  • Pivot to SaaS entails access to apps (Okta-integrated) and data exfiltration through cloud-sync tools (Airbyte, Fivetran) to attacker-owned storage, complicating detection.

MITRE Techniques

  • [T1566.003] Spearphishing via Service – Social engineering calls to service desks to gain initial access to privileged accounts. “Mandiant observed social engineering techniques against corporate help desks to gain initial access to existing privileged accounts.”
  • [T1078] Valid Accounts – Use of compromised credentials and MFA-reset to access privileged accounts. “By interacting with service desk administrators, UNC3944 could not only reset passwords for privileged accounts but also bypass associated MFA protections.”
  • [T1059] Command and Scripting Interpreter – Execution of commands within CrowdStrike Falcon RTR to probe the environment. “Commands executed in the CrowdStrike Falcon RTR module” (example: whoami, curl commands).
  • [T1098] Account Manipulation – Bypassing authentication controls via password resets and local admin password changes (PCUnlocker ISO). “To bypass authentication controls, … PCUnlocker.”
  • [T1003] Credential Dumping – Use of Mimikatz, ADRecon and related tools to harvest credentials. “downloading and use of the PowerShell module psPAS … and tools such as Mimikatz, ADRecon…”
  • [T1550.003] Golden Ticket – Compromise of ADFS certificates enabling Golden SAML access to cloud apps. “ADFS targeting … export the ADFS certificates. With these certificates and through the use of a Golden SAML attack…”
  • [T1567.002] Exfiltration to Cloud Storage – Data exfiltration from SaaS via Airbyte/Fivetran to attacker-owned storage. “exfiltration from SaaS applications through cloud synchronization utilities … to external attacker-owned cloud storage resources, such as S3 buckets.”
  • [T1562.001] Impair Defenses – Anti-forensic activity such as removing Defender and bypassing telemetry on compromised VMs. “reconfigure the newly created virtual machine to deactivate various policies … removing default Microsoft Defender protections.”

Indicators of Compromise

  • [IP Address] context – 96.242.13.152
  • [File Name] context – PCUnlocker.iso, privacy-script.bat
  • [File Name] context – Mimikatz.exe, psPAS
  • [URL] context – https://agent.fleetdeck.io/HiZGDaf5T3xTLZdBWUsG2Q?win, https://falcon.us-2.crowdstrike.com/saml/metadata
  • [Domain] context – okta.com, www.okta.com

Read more: https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications/