Defending Against UNC3944 Cybercrime Hardening Guidance from the Frontlines Google Cloud Blog

pppInvestigate contain and remediate security incidentsppUNC3944 which overlaps with public reporting on Scattered Spider is a financiallymotivated threat actor characterized by its persistent use of social engineering and brazen communications with victims In early operations UNC3944 largely targeted telecommunicationsrelated organizations to support SIM swap operations However after shifting to ransomware and data theft extortion in early 2023 they impacted organizations in a broader range of industries Since then we have regularly observed UNC3944 conduct waves of targeting against a specific sector such as financial services organizations in late 2023 and food services in May 2024 Notably UNC3944 has also previously targeted prominent brands possibly in an attempt to gain prestige and increased attention by news mediappGoogle Threat Intelligence Group GTIG observed a decline in UNC3944 activity after 2024 law enforcement actions against individuals allegedly associated with the group Threat actors will often temporarily halt or significantly curtail operations after an arrest possibly to reduce law enforcement attention rebuild capabilities andor partnerships or shift to new tooling to evade detection UNC3944âs existing ties to a broader community of threat actors could potentially help them recover from law enforcement actions more quicklyppRecent public reporting has suggested that threat actors used tactics consistent with Scattered Spider to target a UK retail organization and deploy DragonForce ransomware Subsequent reporting by BBC News indicates that actors associated with DragonForce claimed responsibility for attempted attacks at multiple UK retailers Notably the operators of DragonForce ransomware recently claimed control of RansomHub a ransomwareasaservice RaaS that seemingly ceased operations in March of this year UNC3944 was a RansomHub affiliate in 2024 after the ALPHV aka Blackcat RaaS shut down While GTIG has not independently confirmed the involvement of UNC3944 or the DragonForce RaaS over the past few years retail organizations have been increasingly posted on tracked data leak sites DLS used by extortion actors to pressure victims andor leak stolen victim data Retail organizations accounted for 11 percent of DLS victims in 2025 thus far up from about 85 percent in 2024 and 6 percent in 2022 and 2023 It is plausible that threat actors including UNC3944 view retail organizations as attractive targets given that they typically possess large quantities of personally identifiable information PII and financial data Further these companies may be more likely to pay a ransom demand if a ransomware attack impacts their ability to process financial transactionsppUNC3944 global targeting mapppWe have observed the following patterns in UNC3944 victimologyppTargeted Sectors The group targets a wide range of sectors with a notable focus on Technology Telecommunications Financial Services Business Process Outsourcing BPO Gaming Hospitality Retail and Media Entertainment organizationsppGeographical Focus Targets are primarily located in Englishspeaking countries including the United States Canada the United Kingdom and Australia More recent campaigns have also included targets in Singapore and IndiappVictim Organization Size UNC3944 often targets large enterprise organizations likely due to the potential for higher impact and ransom demands They specifically target organizations with large help desk and outsourced IT functions which are susceptible to their social engineering tacticsppA highlevel overview of UNC3944 tactics techniques and procedures TTPs are noted in the following figureppUNC3944 attack lifecycleppThe following provides prioritized recommendations to protect against tactics utilized by UNC3944 organized within the pillars ofppIdentityppEndpointsppApplications and ResourcesppNetwork InfrastructureppMonitoring DetectionsppWhile implementing the full suite of the recommendations in this guide will generally have some impact on IT and normal operations Mandiantâs extensive experience supporting organizations to defend against contain and eradicate UNC3944 has shown that an effective starting point involves prioritizing specific areas Organizations should begin by focusing on recommendations that ppAchieve complete visibility across all infrastructure identity and critical management servicesppEnsure the segregation of identities throughout the infrastructureppEnhance strong authentication criteriappEnforce rigorous identity controls for password resets and multifactor authentication MFA registrationppEducate and communicate the importance of remaining vigilant against modernday social engineering attacks campaigns see Social Engineering Awareness section later in this post UNC3944 campaigns not only target endusers but also IT and administrative personnel within enterprise environmentsppThese serve as critical foundational measures upon which other recommendations in this guide can be builtppGoogle SecOps customers benefit from existing protections that actively detect and alert on UNC3944 activityppUNC3944 has proven to be very prolific in using social engineering techniques to impersonate users when contacting the help desk Therefore further securing the âpositive identityâ process is critical ppTrain help desk personnel to positively identify employees before modifying providing security information including initial enrollment At a minimum this process should be required for any privileged accounts and should include methods such asppOnCamera InPerson verificationppID VerificationppChallenge Response questionsppIf a suspected compromise is imminent or has occurred temporarily disable or enhance validation for selfservice password reset methods Any account management activities should require a positive identity verification as the first step Additionally employees should be required to authenticate using strong authentication PRIOR to changing authentication methods eg adding a new MFA device Additionally implement use ofppTrusted LocationsppNotification of authentication security changes ppOutofband verification for highrisk changes For example require a callback to a registered number or confirmation via a known corporate email before proceeding with any sensitive requestppAvoid reliance on publicly available personal data for verification eg DOB last 4 SSN as UNC3944 often possesses this information Use internalonly knowledge or realtime presence verification when possibleppTemporarily disable selfservice MFA resets during elevated threat periods and route all such changes through manual help desk workflows with enhanced scrutinyppTo prevent against social engineering or other methods used to bypass authentication controlsppRemove SMS phone call andor email as authentication controlsppUtilize an authenticator app that requires phishing resistant MFA eg number matching andor geoverificationppIf possible transition to passwordless authenticationppLeverage FIDO2 security keys for authenticating identities that are assigned privileged rolesppEnsure administrative users cannot register or use legacy MFA methods even if those are permitted for lowertier users ppEnforce multicontext criteria to enrich the authentication transaction Examples include not only validating the identity but also specific device and location attributes as part of the authentication transactionppFor organizations that leverage Google Workspace these concepts can be enforced by using contextaware access policiesppFor organizations that leverage Microsoft Entra ID these concepts can be enforced by using a Conditional Access PolicyppTo prevent compromised credentials from being leveraged for modifying and registering an attackercontrolled MFA methodppReview authentication methods available for user registration and disallow any unnecessary or duplicative methods ppRestrict MFA registration and modification actions to only be permissible from trusted IP locations and based upon device compliance For organizations that leverage Microsoft Entra ID this can be accomplished using a Conditional Access PolicyppIf a suspected compromise has occurred MFA reregistration may be required This action should only be permissible from corporate locations andor trusted IP locationsppReview specific IP locations that can bypass the requirement for MFA If using Microsoft Entra ID these can be in Named Locations and the legacy Service SettingsppInvestigate and alert when the same MFA method or phone number is registered across multiple user accounts which may indicate attackercontrolled device registrationppTo prevent against privilege escalation and further access to an environmentppFor privileged access decouple the organizations identity store eg Active Directory from infrastructure platforms services and cloud admin consoles Organizations should create local administrator accounts eg local VMware VCenter Admin account Local administrator accounts should adhere to the following principles ppCreated with long and complex passwords ppPasswords should not be temporarily stored within the organizationâs password management or vault solution ppEnforcement of MultiFactor Authentication MFAppRestrict administrative portals to only be accessible from trusted locations and with privileged identitiesppLeverage justintime controls for leveraging âchecking outâ credentials associated with privileged actions ppEnforce access restrictions and boundaries that follow the principle of leastprivilege for accessing and administering cloud resourcesppFor organizations that leverage Google Cloud these concepts can be enforced by using IAM deny or principle access boundary policies ppFor organizations that leverage Microsoft Entra ID these concepts can be enforced by using Azure RBAC and Entra ID RBAC controls ppEnforce that privileged accounts are hardened to prevent exposure or usage on nonTier 0 or nonPAW endpoints  ppModernday authentication is predicated on more than just a singular password Therefore organizations should ensure that processes and associated playbooks include steps toppRevoke tokens and access keysppReview MFA device registrationsppReview changes to authentication requirementsppReview newly enrolled devices and endpointsppAn authentication transaction should not only include strong requirements for identity verification but also require that the device be authenticated and validated Organizations should consider the ability toppEnforce posture checks for devices remotely connecting to an environment eg via a VPN Example posture checks for devices include ppValidating the installation of a required hostbased certificate on each endpointppVerifying that the endpoint operates on an approved Operating System OS and meets version requirementsppConfirming the organizations Endpoint Detection and Response EDR agent is installed and actively running Enforce EDR installation and monitoring for all managed endpoint devicesppTo prevent against threat actors leveraging rogue endpoints to access an environment organizations shouldppMonitor for rogue bastion hosts or virtual machines that are either newly created or recently joined to a managed domainppHarden policies to restrict the ability to join devices to Entra or onpremises Active DirectoryppReview authentication logs for devices that contain default Windows host namesppTo prevent against lateral movement using compromised credentials organizations shouldppLimit the ability for local accounts to be used for remote networkbased authenticationppDisable or restrict local administrative andor hidden shares from being remotely accessibleppEnforce local firewall rules to block inbound SMB RDP WinRM PowerShell WMIppFor domainbased privileged and service accounts where possible organizations should restrict the ability for accounts to be leveraged for remote authentication to endpoints This can be accomplished using a Group Policy Object GPO configuration for the following user rights assignmentsppDeny log on locally ppDeny log on through Remote Desktop ServicesppDeny access to this computer from network ppDeny log on as a batchppDeny log on as a serviceppThreat actors may attempt to change or disable VPN agents to limit network visibility by security teams Therefore organizations shouldppDisable the ability for end users to modify VPN agent configurationsppEnsure appropriate logging when configuration changes are made to VPN agentsppFor managed devices consider an âAlwaysOnâ VPN configuration to ensure continuous protectionppTo prevent against threat actors attempting to gain access to privileged access management PAM systems organizations shouldppIsolate and enforce network and identity access restrictions for enterprise password managers or privileged access management PAM systems This should also include leveraging dedicated and segmented servers appliances for PAM systems which are isolated from enterprise infrastructure and virtualization platformsppReduce the scope of accounts that have access to PAM systems in addition to requiring strong authentication MFAppEnforce rolebased access controls RBAC within PAM systems restricting the scope of accounts that can be accessed based upon an assigned roleppFollow the principle of justintime JIT access for checkingout credentials stored in PAM systems ppTo prevent against threat actors attempting to gain access to virtualization infrastructure organizations shouldppIsolate and restrict access to ESXi hosts vCenter Server AppliancesppEnsure that backups of virtual machines are isolated secured and immutable if possibleppUnbind the authentication for administrative access to virtualization platforms from the centralized identity provider IdP This includes individual ESXi hosts and vCenter ServersppProactively rotate local root administrative passwords for privileged identities associated with virtualization platformsppIf possible use stronger MFA and bind to local SSO for all administrative access to virtualization infrastructureppEnforce randomized passwords for local root administrative identities correlating to each virtualized host that is part of an aggregate poolppDisable restrict SSH shell access to virtualization platformsppEnable lockdown mode on all ESXi hostsppEnhance monitoring to identify potential malicious suspicious authentication attempts and activities associated with virtualization platforms ppTo prevent against threat actors attempting to gain access to backup infrastructure and data organizations shouldppLeverage unique and separate nonidentity provider integrated credentials for accessing and managing backup infrastructure in addition to the enforcement of MFA for the accountsppEnsure that backup servers are isolated from the production environment and reside within a dedicated network To further protect backups they should be within an immutable backup solutionppImplement access controls that restrict inbound traffic and protocols for accessing administrative interfaces associated with backup infrastructure ppPeriodically validate the protection and integrity of backups by simulating adversarial behaviors red teaming ppTo prevent against threat actors weaponizing endpoint security and management technologies such as EDR and patch management tools organizations should ppSegment administrative access to endpoint security tooling platformsppReduce the scope of identities that have the ability to create edit or delete Group Policy Objects GPOs in onpremises Active DirectoryppIf Intune is leveraged enforce Intune access policies that require multiadministrator approval MMA to approve and enforce changes ppMonitor and review unauthorized access to EDR and patch management technologies ppMonitor script and application deployment on endpoints and systems using EDR and patch management technologiesppReview and monitor âallowlistedâ executables processes paths and applicationsppInventory installed applications on endpoints and review for potential unauthorized installations of remote access RATs and reconnaissance toolsppTo prevent against threat actors leveraging access to cloud infrastructure for additional persistence and access organizations shouldppMonitor and review cloud resource configurations to identify and investigate newly created resources exposed services or other unauthorized configurations ppMonitor cloud infrastructure for newly created or modified network security group NSG rules firewall rules or publicly exposed resources that can be remotely accessedppMonitor for the creation of programmatic keys and credentials eg access keys ppTo proactively identify exposed applications ingress pathways and to reduce the risk of unauthorized access organizations shouldppLeverage vulnerability scanning to perform an external unauthenticated scan to identify publicly exposed domains IPs and CIDR IP rangesppEnforce strong authentication eg phishingresistant MFA for accessing any applications and services that are publicly accessible ppFor sensitive data and applications enforce connectivity to cloud environments SaaS applications to only be permissible from specific trusted IP rangesppBlock TOR exit node and VPS IP rangesppThe terminology of âTrusted Service Infrastructureâ TSI is typically associated with management interfaces for platforms and technologies that provide core services for an organization Examples includeppAsset and Patch Management ToolsppNetwork Management Tools and DevicesppVirtualization PlatformsppBackup TechnologiesppSecurity ToolingppPrivileged Access Management SystemsppTo minimize the direct access and exposure of the management plane for TSI organizations shouldppRestrict access to TSI to only originate from internal hardened network segments or PAWsppCreate detections focused on monitoring network traffic patterns for directly accessing TSI and alert on anomalies or suspicious trafficppTo restrict the ability for commandandcontrol and reduce the capabilities for mass data exfiltration organizations shouldppRestrict egress communications from all servers Organizations should prioritize enforcing egress restrictions from servers associated with TSI Active Directory domain controllers and crown jewel application and data serversppBlock outbound traffic to malicious domain names IP addresses and domain namesaddresses associated with remote access tools RATsppUpon initial compromise UNC3944 is known to search for documentation on topics such as user provisioning MFA andor device registration network diagrams and shared credentials in documents or spreadsheetsppUNC3944 will also use network reconnaissance tools like ADRecon ADExplorer and SharpHound Therefore organizations shouldppEnsure any sites or portals that include these documents have access restrictions to only required accountsppSweep for documents and spreadsheets that may contain shared credentials and remove themppImplement alerting rules on endpoints with EDR agents for possible execution of known reconnaissance toolsppIf utilizing an Identity monitoring solution ensure detection rules are enabled and alerts are created for any reconnaissance and discovery detectionsppImplement an automated mechanism to continuously monitor domain registrations Identify domains that mimic the organizations naming conventions for instance YourOrganizationNamehelpdeskcom or YourOrganizationNameSSOcomppTo further harden the MFA registration process organizations shouldppReview logs to specifically identify events related to the registration or addition of new MFA devices or methods to include actions similar toppMFA device registeredppAuthenticator app addedppPhone number added for MFAppThe same MFA device method phone number being associated with multiple usersppVerify the legitimacy of new registrations against expected user behavior and any onboarding or device enrollment recordsppContact users if new registrations are detected to confirm if the activity is intentionalppTo prevent against social engineering andor unauthorized access or modifications to communication platforms organizations shouldppReview organizational policies around communication tools such as Microsoft Teams ppAllow only trusted external domains for expected vendors and partnersppIf external domains cannot be blocked create a baseline of trusted domains and alert on new domains that attempt to contact employeesppProvide awareness training to employees and staff to directly contact the organizationâs helpdesk if they receive suspicious calls or messagesppThe following is a Microsoft Defender advanced hunting query example The query is written to detect when an external account attempting to impersonate the help desk attempts to contact the organizationâs usersppNote The DisplayName field can be modified to include other relevant fields specific to the organization such as âIT Supportâ or âServiceDeskâppThe following is a Google SecOps search query exampleppNote The DisplayName field can be modified to include other relevant fields specific to the organization such as âIT Supportâ or âServiceDeskâppDetections should includeppAuthentication from infrequent locations including from proxy and VPN service providersppAttempts made to change authentication methods or criteriappMonitoring and hunting for authentication anomalies based upon social engineering tacticsppUNC3944 has been known to modify requirements for the use of Multifactor Authentication Therefore organizations shouldppFor Entra ID monitor for modifications to any Trusted Named Locations that may be used to bypass the requirement for MFAppFor Entra ID monitor for changes to Conditional Access Policies that enforce MFA specifically focusing on exclusions of compromised user accounts andor devices for an associated policyppEnsure the SOC has visibility into token replay or suspicious device logins aligning workflows that can trigger stepup reauthentication when suspicious activity is detectedppFor organizations that are using Microsoft Entra ID monitor for possible abuse of Entra ID Identity FederationppCheck domain names that are registered in the Entra ID tenant paying particular attention to domains that are marked as FederatedppReview the Federation configuration of these domains to ensure that they are correctppMonitor for creation of any new domains within the tenant and for changing the authentication method to be FederatedppAbuse of Domain Federation requires the account accomplishing the changes to have administrative permissions in Entra ID Hardening of all administrative accounts portals and programmatic access is imperativeppUNC3944 is extremely proficient at using multiple forms of social engineering to convince users into doing something that will allow them to gain access Organizations should educate users to be aware of and notify internal security teams of attempts that utilize the following tacticsppSMS phishing messages that claim to be from IT requesting users to download and install software on their machine These may include claims that the userâs machine is outofcompliance or is failing to report to internal management systemsppSMS messages or emails with links to sites that reference domain names that appear legitimate and reference SSO single signon and a variation of the company name Messages may include text informing the user that they need to reset their password andor MFAppPhone calls to users from IT with requests to reset a password andor MFA or requesting that the user provide a validated one time passcode OTP from their device ppSMS messages or emails with requests to be granted access to a particular system particularly if the organization already has an established method for provisioning accessppMFA fatigue attacks where attackers may repeatedly send MFA push notifications to a victimâs device until the user unintentionally or out of frustration accepts one Organizations should train users to reject unexpected MFA prompts and report such activity immediatelyppImpersonation via collaboration tools UNC3944 has used platforms like Microsoft Teams to pose as internal IT support or service desk personnel Organizations should train users to verify unusual chat messages and avoid sharing credentials or MFA codes over internal collaboration tools like Microsoft Teams Limiting external domains and monitoring for impersonation attempts eg usernames containing âhelpdeskâ or âsupportâ is advisedppIn rare cases attackers have used doxxing threats or aggressive language to scare users into compliance Ensure employees understand this tactic and know that the organization will support them if they report these incidentsppBy Mandiant â 37minute readppBy Mandiant â 38minute readppBy Google Threat Intelligence Group â 4minute readppBy Mandiant â 12minute readp