Scattered Spider

Scattered Spider is a native English-speaking cybercriminal group that has been active since at least 2022.[1][2] The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, Scattered Spider expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.[2] During campaigns, Scattered Spider has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.[3][4][1][2][5]

ID: G1015
Associated Groups: Roasted 0ktapus, Octo Tempest, Storm-0875
Version: 2.0
Created: 05 July 2023
Last Modified: 04 April 2024

Associated Group Descriptions

Name Description
Roasted 0ktapus

[4]

Octo Tempest

[6]

Storm-0875

[6]

Campaigns

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Scattered Spider leverages legitimate domain accounts to gain access to the target environment.[3][2]

.003 Account Discovery: Email Account

During C0027, Scattered Spider accessed Azure AD to identify email addresses.[5]

.004 Account Discovery: Cloud Account

During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.[5]

Enterprise T1098 .001 Account Manipulation: Additional Cloud Credentials

During C0027, Scattered Spider used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.[5]

.003 Account Manipulation: Additional Cloud Roles

During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.[5]

Scattered Spider has also assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.[2]

During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.[5]

.005 Account Manipulation: Device Registration

During C0027, Scattered Spider registered devices for MFA to maintain persistence through victims' VPN.[5]

Enterprise T1217 Browser Information Discovery

Scattered Spider retrieves browser histories via infostealer malware such as Raccoon Stealer.[3]

Enterprise T1580 Cloud Infrastructure Discovery

Scattered Spider enumerates cloud environments to identify server and backup management infrastructure, resource access, databases and storage containers.[2]

Enterprise T1538 Cloud Service Dashboard

Scattered Spider abused AWS Systems Manager Inventory to identify targets on the compromised network prior to lateral movement.[3]

Enterprise T1136 Create Account

Scattered Spider creates new user identities within the compromised organization.[3]

Enterprise T1486 Data Encrypted for Impact

Scattered Spider has used BlackCat ransomware to encrypt files on VMWare ESXi servers.[3][2]

Enterprise T1530 Data from Cloud Storage

Scattered Spider enumerates data stored in cloud resources for collection and exfiltration purposes.[3]

During C0027, Scattered Spider accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[5]

Enterprise T1213 .002 Data from Information Repositories: Sharepoint

During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[5]

.003 Data from Information Repositories: Code Repositories

Scattered Spider enumerates data stored within victim code repositories, such as internal GitHub repositories.[3][2]

Enterprise T1074 Data Staged

Scattered Spider stages data in a centralized database prior to exfiltration.[3]

Enterprise T1006 Direct Volume Access

Scattered Spider has created volume shadow copies of virtual domain controller disks to extract the NTDS.dit file.[2]

Enterprise T1484 .002 Domain or Tenant Policy Modification: Trust Modification

Scattered Spider adds a federated identity provider to the victim’s SSO tenant and activates automatic account linking.[3]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Scattered Spider has exfiltrated victim data to the MEGA file sharing site.[3][2]

Enterprise T1190 Exploit Public-Facing Application

During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.[5]

Enterprise T1068 Exploitation for Privilege Escalation

Scattered Spider has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).[4]

Enterprise T1133 External Remote Services

Scattered Spider has leveraged legitimate remote management tools to maintain persistent access.[4]

During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments.[5]

Enterprise T1083 File and Directory Discovery

Scattered Spider Spider enumerates a target organization for files and directories of interest, including source code.[3][2]

Enterprise T1657 Financial Theft

Scattered Spider has deployed ransomware on compromised hosts for financial gain.[3][7]

Enterprise T1589 .001 Gather Victim Identity Information: Credentials

During C0027, Scattered Spider sent phishing messages via SMS to steal credentials.[5]

Enterprise T1564 .008 Hide Artifacts: Email Hiding Rules

Scattered Spider creates inbound rules on the compromised email accounts of security personnel to automatically delete emails from vendor security products.[2]

Enterprise T1656 Impersonation

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.[5]

Scattered Spider utilized social engineering to compel IT help desk personnel to reset passwords and MFA tokens.[3][2]

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.[5]

Enterprise T1105 Ingress Tool Transfer

During C0027, Scattered Spider downloaded tools using victim organization systems.[5]

Enterprise T1556 .006 Modify Authentication Process: Multi-Factor Authentication

After compromising user accounts, Scattered Spider registers their own MFA tokens.[3]

.009 Modify Authentication Process: Conditional Access Policies

Scattered Spider has added additional trusted locations to Azure AD conditional access policies. [2]

Enterprise T1578 .002 Modify Cloud Compute Infrastructure: Create Cloud Instance

During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.[5]

Scattered Spider has also created Amazon EC2 instances within the victim's environment.[3]

During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.[5]

Enterprise T1621 Multi-Factor Authentication Request Generation

Scattered Spider has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets.[4]

During C0027, Scattered Spider attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.[5]

Enterprise T1046 Network Service Discovery

During C0027, used RustScan to scan for open ports on targeted ESXi appliances.[5]

Enterprise T1588 .002 Obtain Capabilities: Tool

During C0027, Scattered Spider obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner.[5]

Enterprise T1003 .003 OS Credential Dumping: NTDS

Scattered Spider has extracted the NTDS.dit file by creating volume shadow copies of virtual domain controller disks.[2]

.006 OS Credential Dumping: DCSync

During C0027, Scattered Spider performed domain replication.[5]

Enterprise T1069 .003 Permission Groups Discovery: Cloud Groups

During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and their Active Directory attributes.[5]

Enterprise T1566 .004 Phishing: Spearphishing Voice

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.[5]

Enterprise T1598 Phishing for Information

Scattered Spider has used a combination of credential phishing and social engineering to capture one-time-password (OTP) codes.[4]

.001 Spearphishing Service

During C0027, Scattered Spider sent Telegram messages impersonating IT personnel to harvest credentials.[5]

.004 Spearphishing Voice

During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.[5]

Scattered Spider has also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits.[2]

During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.[5]

Enterprise T1572 Protocol Tunneling

During C0027, Scattered Spider used SSH tunneling in targeted environments.[5]

Enterprise T1090 Proxy

During C0027, Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.[5]

Enterprise T1219 Remote Access Software

During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.[5]

In addition to directing victims to run remote software, Scattered Spider members themselves also deploy RMM software including AnyDesk, LogMeIn, and ConnectWise Control to establish persistence on the compromised network.[3][7]

During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.[5]

Enterprise T1021 .007 Remote Services: Cloud Services

During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.[5]

Scattered Spider has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes.[3]

During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.[5]

Enterprise T1018 Remote System Discovery

Scattered Spider can enumerate remote systems, such as VMware vCenter infrastructure.[3]

Enterprise T1539 Steal Web Session Cookie

Scattered Spider retrieves browser cookies via Raccoon Stealer.[3]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Scattered Spider has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.[4]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Scattered Spider Spider searches for credential storage documentation on a compromised host.[3]

.004 Unsecured Credentials: Private Keys

Scattered Spider enumerate and exfiltrate code-signing certificates from a compromised host.[3]

Enterprise T1204 User Execution

Scattered Spider has impersonated organization IT and helpdesk staff to instruct victims to execute commercial remote access tools to gain initial access.[3]

Enterprise T1078 .004 Valid Accounts: Cloud Accounts

During C0027, Scattered Spider leveraged compromised credentials from victim users to authenticate to Azure tenants.[5]

Enterprise T1102 Web Service

During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.[5]

Enterprise T1047 Windows Management Instrumentation

During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.[5]

Mobile T1660 Phishing

Scattered Spider has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.[2]

Software

ID Name References Techniques
S1068 BlackCat Scattered Spider has deployed BlackCat ransomware to victim environments for financial gain.[3][2] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation, Account Discovery: Domain Account, Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, Defacement: Internal Defacement, Disk Wipe: Disk Content Wipe, File and Directory Discovery, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Indicator Removal: Clear Windows Event Logs, Inhibit System Recovery, Lateral Tool Transfer, Modify Registry, Network Share Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, Service Stop, System Information Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0357 Impacket During C0027, Scattered Spider used Impacket for lateral movement.[5] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, System Services: Service Execution, Windows Management Instrumentation
S0349 LaZagne Scattered Spider can obtain credential information using LaZagne.[2] Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Keychain, OS Credential Dumping: LSA Secrets, OS Credential Dumping: /etc/passwd and /etc/shadow, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: Proc Filesystem, Unsecured Credentials: Credentials In Files
S0002 Mimikatz Scattered Spider has gathered credentials using Mimikatz.[3][2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0508 ngrok Scattered Spider has used ngrok to create secure tunnels to remote web servers.[3] Dynamic Resolution: Domain Generation Algorithms, Exfiltration Over Web Service, Protocol Tunneling, Proxy, Web Service
S0670 WarzoneRAT Scattered Spider has utilized WarzoneRAT to remotely access a compromised system.[3] Abuse Elevation Control Mechanism: Bypass User Account Control, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Event Triggered Execution: Component Object Model Hijacking, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts, Hide Artifacts: Hidden Window, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Phishing: Spearphishing Attachment, Process Discovery, Process Injection, Proxy, Remote Services: Remote Desktop Protocol, Remote Services: VNC, Rootkit, System Information Discovery, Template Injection, User Execution: Malicious File, Video Capture

References