top of page

UNC961: Three Encounters with a Financially Motivated Threat Actor

Web application vulnerabilities are like doorways: you never know who or what will walk through. Between December 2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded to three UNC961 intrusions at different organizations that each started in similar fashion. Two of these victims were under the protection of Managed Defense who identified and responded to the threat before significant impact occurred. In the third intrusion, the Mandiant Incident Response team was contacted after UNC961 had compromised the victim and transferred access to UNC3966.



ATT&CK IDS: T1003 - OS Credential Dumping, T1016 - System Network Configuration Discovery, T1018 - Remote System Discovery, T1021 - Remote Services, T1033 - System Owner/User Discovery, T1047 - Windows Management Instrumentation, T1048 - Exfiltration Over Alternative Protocol, T1049 - System Network Connections Discovery, T1053 - Scheduled Task/Job, T1059 - Command and Scripting Interpreter, T1069 - Permission Groups Discovery, T1070 - Indicator Removal on Host, T1071 - Application Layer Protocol, T1078 - Valid Accounts, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1087 - Account Discovery, T1098 - Account Manipulation, T1105 - Ingress Tool Transfer, T1112 - Modify Registry, T1135 - Network Share Discovery, T1136 - Create Account, T1140 - Deobfuscate/Decode Files or Information, T1190 - Exploit Public-Facing Application, T1197 - BITS Jobs, T1482 - Domain Trust Discovery, T1505 - Server Software Component, T1543 - Create or Modify System Process, T1560 - Archive Collected Data, T1567 - Exfiltration Over Web Service, T1569 - System Services, T1572 - Protocol Tunneling

Read More:



Commenting has been turned off.
bottom of page