The threat group that claims to have been involved in the high-profile attacks earlier this month on casino operators MGM Resorts and Caesars Entertainment has evolved in recent months from stealing credentials and accessing systems to ransomware.
The alleged connection with the data breaches that disrupted operations at the companies’ Las Vegas operations and the possible theft of terabytes of data is the latest example of the group UNC3944 extending their reach into ransomware and broadening the industries it’s targeting, according to researchers with Google-owned Mandiant.
“These changes in their end goals signal that the industries targeted by UNC3944 will continue to expand,” the Mandiant researchers wrote in a report late last week. “Mandiant has already directly observed their targeting broaden beyond telecommunication and business process outsourcer (BPO) companies to a wide range of industries including hospitality, retail, media and entertainment, and financial services.”
The group – also known as Scattered Spider, Scatter Swine, and 0ktapus – began to deploy ransomware the middle of the year, they wrote.
“UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographic composition of the group,” the researchers wrote about the group, which is believed to include members in the United States, UK, and other Western countries.
Linking Up with BlackCat
The threat group is no stranger to cybersecurity vendors. The hackers use texts and phone calls to victim help desks to get passwords reset or multifactor authentication (MFA) bypass codes to gain access. They’re also known for using legitimate software like remote access tools, working fast to access critical systems and taking large volumes of data, and searching through internal files and resources for information to escalate privileges and keep a presence in the victim environment.
They also will launch attacks through unmanaged virtual machines inside.
“When deploying ransomware, the threat actors appear to specifically target business-critical virtual machines and other systems, likely in an attempt to maximize the impact on the victim,” the researchers wrote, adding that they then communicate with victims through threatening notes, texts or emails to executives in texts and emails, and on the victim’s communications channels.
There are at least three phishing kits tied to UNC3944.
“At least some UNC3944 threat actors appear to operate in underground communities, such as Telegram and underground forums, which they may leverage to acquire tools, services, and/or other support to augment their operations,” they wrote.
The group also has been known to attack cloud environments, including Microsoft’s Azure and Amazon Web Services (AWS), and recently apparently has hooked up with the BlackCat – also known as AlphV – ransomware operation, a suspected successor to the notorious Russia-linked REvil group.
The MGM and Caesars Hacks
UNC3944’s possible connection to the MGM attack was first raised by the vx-underground malware repository and people claiming to be representatives of the group have since told such media outlets that it was involved in the MGM breach. However, while the operators told Reuters via Telegram it had stolen 6 terabytes of data from both, a spokesperson told TechCrunch in an online message that it was only involved in the MGM attack, not the one on Caesars.
In a statement, BlackCat said one of its affiliates was responsible for the MGM Resorts hack but didn’t say which affiliate, according to BleepingComputer. The group said it encrypted more than 100 ESXi hypervisors after MGM shut down its internal infrastructure.
The attack forced MGM – which runs the Bellagio and Aria, among other Las Vegas resorts – to shut down some of its IT operations, which meant that customers were unable to use such items as digital key cards, credit cards, or ATMs.
In a filing with the Securities and Exchange Commission September 12, MGM executives said in a brief message that it launched an internal investigation, brought in external cybersecurity experts, and notified law enforcement of the breach.
In its own SEC filing days earlier, Caesars executives said the attack on its IT network came after a social engineering scam on an outsourced IT support vendor hired by the company. Customer-facing operations, including physical properties and online and mobile game apps, were not affected.
That said, the hackers did access such data as a copy of Caesars’ loyalty program database, which includes information like driver’s license and Social Security numbers for those members on the database.
They implied they may have paid a ransomware, said they had “taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”
Group Will Expand Its Operations
In the meantime, UNC3944 is unlikely to go away anytime soon, the Mandiant researchers wrote. They said UNC3944 “is an evolving threat that has continued to broaden its skills and tactics in order to successfully diversify its monetization strategies” and they expect that it will continue to expand its capabilities, possibly using underground communities to support its operations and other ransomware brands or other attack scenarios to maximize their profits.
Georgia Weidman, security architect at mobile security company Zimperium, told Security Boulevard that, similarly, the threat of sophisticated phishing campaigns that UNC3944 have leveraged over the past couple of years also aren’t going anywhere, driving the need for more security awareness among users and more on-device security for their systems.
Users and support staff are increasingly savvy about the danger of phishing links in emails, users don’t seem to understand that any mechanism – from SMS texts and Facebook Messager to Twitter DMs and QR codes – can deliver a malicious URL.
“At least for the foreseeable future, the only thing that we can truly depend upon is that, one, the phishers will try to find every possible path to deliver phishes despite ingress testing and, two, some users will attempt to follow the phishing links,” Weidman said.
Recent Articles By Author