Description: This Tech-Wreck report covers the activities of UNC3944, a threat cluster that uses phone-based social engineering and SMS phishing campaigns to access and escalate vulnerability in victim organizations for financial gains. UNC3944 has been reported in open sources under names like “0ktapus,” “Scatter Swine,” and “Scattered Spider.” It is known for targeting password managers or privileged access management systems, stealing large amounts of sensitive data, deploying ransomware, and engaging in aggressive communication with victims.

Context: UNC3944 has been active since 2022 and has shifted its focus from SIM swapping attacks to deploying ransomware in mid-2023. The group has expanded its target beyond telecommunication and business process outsourcer (BPO) companies to other sectors, including hospitality, retail, media and entertainment, and financial services.

Importance: As a persistent and evolving threat, UNC3944 poses a significant risk to a wide range of industries. Its tactics, techniques, and procedures (TTPs) have grown more disruptive and profitable, with a stronger focus on large-scale data theft and ransomware deployment. The group’s knowledge of Western business practices, use of legitimate and publicly available tools, and engagement in underground communities further increase its threat level.

Key Points: UNC3944 relies heavily on social engineering for initial access, often using SMS phishing campaigns and calls to victim help desks. It also uses commercial residential proxy services and legitimate software, including remote access tools downloaded from vendor websites. The group operates at an extremely high operational tempo, overwhelming security response teams by accessing critical systems and exfiltrating large volumes of data over a few days.

Urgency: The threat posed by UNC3944 is immediate and evolving. With its shift to ransomware deployment in 2023 and continuous expansion of target industries, the threat cluster is likely to escalate its activities and refine its tactics in the foreseeable future. It is crucial for organizations to implement effective mitigation strategies against UNC3944’s TTPs.

Recommended Actions: Organizations should enforce stronger multifactor authentication (MFA) options, ensure secure MFA and Self-Service Password Reset (SSPR) registration, block external access to Microsoft Azure and Microsoft 365 administration features, and implement video verification techniques for password and/or MFA resets.

Distribution: This report is for all organizations, especially those operating in industries targeted by UNC3944. It is also beneficial for cybersecurity professionals and analysts in understanding the threat landscape.

Source: Mandiant – https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware?s=09