UNC3944 Targets SaaS Applications

UNC3944, a financially motivated threat group, has been active since at least May 2022 and has evolved its tactics from credential harvesting to primarily data theft extortion without ransomware. They exploit vulnerabilities in software-as-a-service (SaaS) applications and leverage social engineering tactics to gain access to privileged accounts. They have also developed methods to persist within victim environments, including creating new virtual machines and bypassing authentication controls.

The group targets various industries and organizations, using fear mongering tactics to gain access to victim credentials. UNC3944 has also expanded its operations to include SaaS applications, utilizing tools like Okta permissions abuse and conducting reconnaissance in applications like CyberArk and Salesforce. They exfiltrate data through cloud synchronization utilities to external attacker-owned cloud storage resources. Traditional security controls are often ineffective against their methods, and Mandiant recommends heightened monitoring of SaaS applications and stricter access policies to mitigate their impact.

Security Officer Comments:
Several sophisticated threat actors have targeted cloud-based services in recent years. Chinese state-sponsored group APT10 has been known to target Amazon Web Services (AWS) and Microsoft Azure, while Russian-speaking CloudHopper is believed to be sponsored by the Russian government and has also attacked AWS and other cloud providers. Suckfly, thought to be of Chinese origin, has targeted Office 365 and Google Workspace (formerly G Suite), as have DarkHotel, which may be of Russian or Eastern European origin.

Turla, a Russian-speaking group, targets government agencies, military organizations, and defense contractors that use cloud infrastructure. North Korean state-sponsored APT38 is believed to be responsible for attacks on AWS and other cloud providers, as well as financial sector targets. Meanwhile, the highly advanced Equation Group, thought to be sponsored by the US government, has targeted high-value assets including cloud infrastructure. Finally, Sandworm Team, a Russian-speaking group, has been linked to attacks on Ukraine's power grid and critical infrastructure that use cloud services.

Suggested Corrections:
“Several courses of action can help to mitigate persistence or increased access in a targeted environment. Mandiant recommends utilizing both host-based certificates coupled with multi-factor authentication for any VPN access. Additionally, creating stricter conditional access policies to control what is visible inside of a cloud tenant can limit overall impact.

Multiple detection opportunities exist to assist with a speedier identification of possible compromise. Mandiant recommends heightened monitoring of SaaS applications, to include centralizing logs from important SaaS-based applications, MFA re-registrations, and virtual machine infrastructure, specifically about both uptime and the creation of new devices.

SaaS applications pose an interesting dilemma for organizations as there is a gray area of where and who should conduct monitoring to identify issues. For the applications where proprietary or guarded information exists, Mandiant recommends that an organization ensures they have a robust logging capability that their security teams can review for signs of malicious intent” (CloudGoogle, 2024).