Threat Research

Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

iocOne
Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
EXTRACT IOC
UNC3944 is a financially-motivated threat actor targeting various sectors with tactics including social engineering, ransomware, and data theft. Their operations have broadened since 2023, affecting numerous industries worldwide, particularly in English-speaking countries. (Affected: Telecommunications, Financial Services, Retail, Hospitality, Technology, Gaming)

Keypoints :

  • UNC3944 initially targeted telecommunications organizations for SIM swap operations.
  • Shifted to ransomware and data theft extortion in early 2023.
  • Conducts targeted attacks on sectors like financial services and food services.
  • Acts in waves against various industries to maximize impact.
  • Operates globally, focusing on English-speaking countries.
  • Uses social engineering to exploit large organizations with outsourced IT functions.
  • Reported decline in activity post-2024 due to law enforcement actions.
  • Targets retail organizations for their access to personally identifiable information (PII).
  • Employs tactics similar to Scattered Spider for exploits.

MITRE Techniques :

  • Tactic: Initial Access; Technique: Phishing (T1566) – Using social engineering tactics to deceive users into providing credentials.
  • Tactic: Execution; Technique: Command-Line Interface (T1059) – Executing commands remotely after gaining access through compromised credentials.
  • Tactic: Persistence; Technique: Account Manipulation (T1098) – Modifying user accounts to maintain access.
  • Tactic: Collection; Technique: Data from Information Repositories (T1213) – Targeting documents and spreadsheets for shared credentials.
  • Tactic: Exfiltration; Technique: Exfiltration Over Command and Control Channel (T1041) – Using C2 channels to exfiltrate sensitive data.

Indicator of Compromise :

  • Mention of data leak sites (DLS) frequently used by extortion actors against victims.
  • Identification of potentially compromised credentials and unusual authentication attempts involving MFA.
  • References to reconnaissance tools like ADRecon and SharpHound used during initial access.
  • Alerts for any suspicious attempts to manipulate authentication methods.

Full Story: https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations/

Views: 32

Tags: PASSWORD, SOCIAL ENGINEERING, WINDOWS, LATERAL MOVEMENT, INITIAL ACCESS, PROXY, PRIVILEGE, LEAK