17 June 2024

Scattered Spider hackers switch focus to cloud apps for data theft


Scattered Spider hackers switch focus to cloud apps for data theft

The notorious cybercriminal group Scattered Spider, also known as Octo Tempest, 0ktapus, Scatter Swine, and UNC3944, has recently shifted its focus towards data theft from software-as-a-service (SaaS) applications, a new report from Mandiant reveals.

Scattered Spider has been active since at least May 2022 and is known for its sophisticated social engineering attacks. These attacks often involve SMS phishing, SIM swapping, and account hijacking to gain on-premises access. The group, primarily operating through underground communities on Telegram, hacking forums, and Discord servers, has developed a reputation for its aggressive and varied tactics.

Initially, UNC3944 concentrated on credential harvesting and SIM swapping attacks. Over time, the threat actor expanded its operations to include ransomware and data theft extortion. Recently, however, the group has focused more on data theft extortion without deploying ransomware. To intimidate victims into compliance, UNC3944 has employed various tactics, including threats of doxxing personal information, physical harm, and the distribution of compromising material.

The typical attack pattern involves social engineering tactics aimed at service desks. By claiming to need a multi-factor authentication (MFA) reset for a new phone, the threat actor manipulates administrators into resetting passwords for privileged accounts, thus bypassing MFA protections. Once inside a target's system, UNC3944 conducts thorough internal reconnaissance, particularly within Microsoft applications like SharePoint, to gather information on remote connection requirements and other sensitive documentation.

UNC3944 has also been observed abusing Okta permissions. By self-assigning a compromised account to every application within an Okta instance, they escalate their privileges, allowing them to explore and exploit various SaaS and cloud applications. This includes conducting internal reconnaissance through the Okta web portal to identify available application tiles.

In several documented cases, Mandiant has observed UNC3944 accessing platforms like vSphere and Azure via single sign-on (SSO) applications to create new virtual machines. These machines are then reconfigured using publicly available utilities such as MAS_AIO and privacy-script.bat to deactivate security policies. The group further exploits a lack of endpoint monitoring to download tools like Mimikatz, ADRecon, and various covert tunneling tools, facilitating access without the need for VPN or MFA. The attackers also install Python libraries such as IMPACKET to aid in their operations.

UNC3944's pivot to targeting SaaS applications includes accessing systems hosted through MFA providers. Their targets have included high-profile applications such as vCenter, CyberArk, Salesforce, Azure, CrowdStrike, AWS, and GCP. Additionally, Mandiant has reported that UNC3944 targets Active Directory Federated Services (ADFS) to export ADFS certificates, further extending their reach and control within compromised environments.

Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024