home.social

#unc3944 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #unc3944, aggregated by home.social.

  1. Scattered Spider hackers shift focus to aviation, transportation firms

    If you work in aviation or transportation, LISTEN

    • Scattered Spider is actively targeting your industry.
    • They are using trycloudflare.com to deliver Chisel, a FOSS encrypted reverse proxy.

    ACTION ITEMS:

    • block trycloudflare.com by FQDN.
    • make sure you are using IPS or app signatures on your firewalls to detect the chisel traffic.

    NOTE: Chisel is encrypted, so you need to be doing full SSL inspection (TLSI) to effectively detect and block the app.

    Additional Resources:

    Please don't let this fuck up your 4th.

    #ScatteredSpider #UNC3944 #Chisel #ChiselMalware #ThreatIntel #CyberSecurity

  2. We were warned this would happen. And now here we are.

    United Natural Foods ($UNFI) has had to switch off systems after a cyberattack, crippling its operations. This is a huge deal, because #UNFI is a big part of the grocery distribution network in the U.S. and Canada.

    Once again, it looks like the work of #UNC3944, a/k/a #ScatteredSpider. In #SBBlogwatch, we hoard canned goods.

    @TheFuturumGroup @TechstrongGroup @SecurityBlvd: securityboulevard.com/2025/06/

  3. Three major British retailers recently attacked, resulting in huge damage. Now we see the self-same scum spotlighting stores in the States.

    Google’s Mandiant threat intelligence team issued this dire warning yesterday. The scrotes appear to be #UNC3944, a/k/a #ScatteredSpider, a casual confederacy of criminals wielding #DragonForce #ransomware.

    “Shields up, U.S. retailers,” quipped Mandiant’s chief analyst. In #SBBlogwatch, we hail the Kobayashi Maru.

    @TheFuturumGroup @TechstrongGroup @SecurityBlvd: securityboulevard.com/2025/05/

  4. I just finished a video on #UNC3944 aka #ScatteredSpider.

    If $dayjob doesn't get it online ASAP, I'll post it here soon.

    Stay tuned...

  5. Cryptocurrency exchange operator Coinbase have disclosed an attempted intrusion by #UNC3944/#ScatteredSpider from early February.

    The attack used SMS Phishing (#Smishing) to deliver a malicious URL that pointed to a credential harvesting campaign, but thankfully despite an employee falling for the fake login page, they hesitated when the attackers attempted to socially engineer their way past MFA protections.

    UNC3944 is a highly capable actor that has only been growing in sophistication since their debut in the 0ktapus campaign of 2022, and one that every organisation should be wary of.

    We've summarised the key TTP overlaps between these intrusions and provided some tips on how to enhance the resistance of your MFA solutions against social engineering and MFA fatigue attacks: opalsec.substack.com/p/return-

    #infosec #cyber #informationsecurity #cybersecurity #security #technology #soc #threatintel #threatintelligence #hacked #hacking #hacker #compromise #coinbase #crypto #cryptocurrencies