The Scattered Spider Group Ramps Up Cloud Attacks
Threat Group: Scattered Spider
Threat Type: Cybercrime Group (Focused on Cloud Environments, Ransomware)
Exploited Vulnerabilities: Azure Cross-Tenant Synchronization, Federated Identity Providers, Cloud Platforms
Malware Used: AlphV ransomware
Threat Score: High (8.8/10) — Due to its sophisticated exploitation of cloud-based systems, privilege escalation methods, and use of advanced tools for lateral movement.
Last Threat Observation: September 12, 2024, in targeted attacks on the insurance and financial sectors.
Overview
Scattered Spider is a cybercriminal group that has gained notoriety for its focused attacks on cloud environments, particularly those in the insurance and financial industries. The group is known for its advanced techniques, including abusing Single Sign-On (SSO) systems, Cross-Tenant Synchronization within Microsoft Azure, and deploying open-source tools for reconnaissance and privilege escalation. Their persistent and highly adaptive methods make them a formidable adversary for organizations relying on cloud infrastructures.
In recent attacks observed in September 2024, Scattered Spider targeted critical financial sectors by leveraging cloud reconnaissance, remote management tools, and sophisticated security evasion techniques.
Key Details
- Cloud Reconnaissance: Scattered Spider focuses on breaching SSO-enabled dashboards and M365 services to access cloud platforms, including CRM systems and document storage services.
- Privilege Escalation: The group exploits Azure’s Cross-Tenant Synchronization (CTS) to synchronize users across multiple tenants, allowing lateral movement within compromised cloud environments.
- Security Evasion: Techniques include disabling Microsoft Defender, rebooting into Safe Mode to bypass security tools, and tampering with Windows Firewall settings.
- Advanced Persistence: Federated identity providers are used for persistent access, alongside tactics such as SIM swapping and social engineering of IT help desks.
- Use of Legitimate Tools: Remote desktop tools like AnyDesk, TeamViewer, and tunneling tools such as Ngrok are commonly utilized to maintain access and hide malicious activities.
Attack Vectors
Scattered Spider typically infiltrates cloud systems through the following methods:
- Exploiting SSO and M365: Compromising SSO systems to access cloud platforms like CRM and password managers.
- Privilege Escalation: Abuse of Cross-Tenant Synchronization in Microsoft Azure and leveraging federated identity providers.
- Remote Access Tools: Utilizing AnyDesk, TeamViewer, RustDesk, and MeshCentral for remote access and control.
- Cloud Tunneling: Tools like Ngrok, MobaXterm, and Proxifier are employed to create reverse proxies and bypass security controls.
- Social Engineering: Attacks include targeting IT personnel to gain insider access, often through SIM swapping and help desk exploitation.
Known Indicators of Compromise (IoCs)
IP Addresses (Defanged)
cssCopy code45[.]132[.]227[.]213
144[.]76[.]136[.]153
119[.]93[.]5[.]239
146[.]70[.]103[.]228
159[.]223[.]213[.]174
169[.]150[.]203[.]51
185[.]195[.]19[.]206
198[.]54[.]133[.]45
198[.]54[.]133[.]52
217[.]138[.]198[.]196
217[.]138[.]222[.]94
45[.]134[.]140[.]177
45[.]86[.]200[.]81
45[.]91[.]21[.]61
89[.]46[.]114[.]66
Domain Names (Defanged)
cssCopy codeactivecampaignhr[.]
comaflac-hr[.]
comallstate-hr[.]
comamica-hr[.]
comasurion-idp[.]
comathene-usa[.]
combell-hr[.]
comclicksend-staging[.]
comdesksso[.]
comeclerx-sso[.]
comfoundever-sso[.]
comfreshworks-sso[.]
netgemini-sso[.]
comvictimname-sso[.]
comvictimname-servicedesk[.]
comvictimname-okta[.]
com
Additional Techniques
- Deployment of AlphV ransomware on VMware ESXi hosts.
- SIM swapping for access to high-privilege accounts.
- Abuse of Azure Run Command for executing ransomware deployment scripts.
- Data exfiltration through S3 buckets, BackBlaze, and ETL tools like AirByte and Stitch.
Mitigation and Prevention
- Monitor Cloud Activity: Implement continuous monitoring of cloud platforms such as Microsoft Azure and M365 for unusual activities, particularly focusing on Cross-Tenant Synchronization.
- Harden SSO Systems: Ensure robust security measures for SSO-enabled platforms, including multi-factor authentication (MFA) and limiting privilege escalations.
- Endpoint Security: Regularly audit and update endpoint security configurations to prevent tampering with tools like Microsoft Defender or firewalls.
- Security Awareness Training: Train IT help desks and staff on identifying and reporting social engineering and SIM-swapping attempts.
- IoC Monitoring: Regularly update threat intelligence feeds with the provided IoCs, and configure SIEM systems to detect these specific indicators.
Conclusion
The Scattered Spider group represents a highly dangerous threat to organizations operating within cloud environments, especially those in the financial and insurance sectors. Their advanced use of legitimate tools and cloud services for malicious purposes makes them difficult to detect. Vigilant monitoring of cloud activity, strong endpoint security measures, and regular updates of threat intelligence feeds are essential in combating this evolving threat.
Sources
- Canopius, "Scattered Spider Report", Canopius
- CISA, "Scattered Spider", CISA
- SOCRadar, "Dark Web Profile: Scattered Spider", SOCRadar
- EclecticIQ, "Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries", EclecticIQ
- OccamSec, "Scattered Spider IOCs", OccamSec
- Sekoia.io Blog, "Scattered Spider laying new eggs", Sekoia.io
- CrowdStrike, "Scattered Spider", CrowdStrike
- Trellix, "Scattered Spider: The Modus Operandi", Trellix