The notorious cybercriminal group Scattered Spider, also known as Octo Tempest, 0ktapus, Scatter Swine, and UNC3944, has recently shifted its focus towards data theft from software-as-a-service (SaaS) applications, a new report from Mandiant reveals.
Scattered Spider has been active since at least May 2022 and is known for its sophisticated social engineering attacks. These attacks often involve SMS phishing, SIM swapping, and account hijacking to gain on-premises access. The group, primarily operating through underground communities on Telegram, hacking forums, and Discord servers, has developed a reputation for its aggressive and varied tactics.
Initially, UNC3944 concentrated on credential harvesting and SIM swapping attacks. Over time, the threat actor expanded its operations to include ransomware and data theft extortion. Recently, however, the group has focused more on data theft extortion without deploying ransomware. To intimidate victims into compliance, UNC3944 has employed various tactics, including threats of doxxing personal information, physical harm, and the distribution of compromising material.
The typical attack pattern involves social engineering tactics aimed at service desks. By claiming to need a multi-factor authentication (MFA) reset for a new phone, the threat actor manipulates administrators into resetting passwords for privileged accounts, thus bypassing MFA protections. Once inside a target's system, UNC3944 conducts thorough internal reconnaissance, particularly within Microsoft applications like SharePoint, to gather information on remote connection requirements and other sensitive documentation.
UNC3944 has also been observed abusing Okta permissions. By self-assigning a compromised account to every application within an Okta instance, they escalate their privileges, allowing them to explore and exploit various SaaS and cloud applications. This includes conducting internal reconnaissance through the Okta web portal to identify available application tiles.
In several documented cases, Mandiant has observed UNC3944 accessing platforms like vSphere and Azure via single sign-on (SSO) applications to create new virtual machines. These machines are then reconfigured using publicly available utilities such as MAS_AIO and privacy-script.bat to deactivate security policies. The group further exploits a lack of endpoint monitoring to download tools like Mimikatz, ADRecon, and various covert tunneling tools, facilitating access without the need for VPN or MFA. The attackers also install Python libraries such as IMPACKET to aid in their operations.
UNC3944's pivot to targeting SaaS applications includes accessing systems hosted through MFA providers. Their targets have included high-profile applications such as vCenter, CyberArk, Salesforce, Azure, CrowdStrike, AWS, and GCP. Additionally, Mandiant has reported that UNC3944 targets Active Directory Federated Services (ADFS) to export ADFS certificates, further extending their reach and control within compromised environments.
