Scattered Spider

Scattered Spider is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns Scattered Spider has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.[1][2][3]

ID: G1015
Associated Groups: Roasted 0ktapus
Version: 1.0
Created: 05 July 2023
Last Modified: 22 September 2023

Associated Group Descriptions

Name Description
Roasted 0ktapus

[2]

Campaigns

Techniques Used

Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

During C0027, Scattered Spider accessed Azure AD to identify email addresses.[3]

.004 Account Discovery: Cloud Account

During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.[3]

Enterprise T1098 .001 Account Manipulation: Additional Cloud Credentials

During C0027, Scattered Spider used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.[3]

.003 Account Manipulation: Additional Cloud Roles

During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.[3]

.005 Account Manipulation: Device Registration

During C0027, Scattered Spider registered devices for MFA to maintain persistence through victims' VPN.[3]

Enterprise T1530 Data from Cloud Storage

During C0027, Scattered Spider accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[3]

Enterprise T1213 .002 Data from Information Repositories: Sharepoint

During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[3]

Enterprise T1190 Exploit Public-Facing Application

During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.[3]

Enterprise T1068 Exploitation for Privilege Escalation

Scattered Spider has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).[2]

Enterprise T1133 External Remote Services

Scattered Spider has leveraged legitimate remote management tools to maintain persistent access.[2]

During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments.[3]

Enterprise T1589 .001 Gather Victim Identity Information: Credentials

During C0027, Scattered Spider sent phishing messages via SMS to steal credentials.[3]

Enterprise T1656 Impersonation

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.[3]

Enterprise T1105 Ingress Tool Transfer

During C0027, Scattered Spider downloaded tools using victim organization systems.[3]

Enterprise T1578 .002 Modify Cloud Compute Infrastructure: Create Cloud Instance

During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.[3]

Enterprise T1621 Multi-Factor Authentication Request Generation

Scattered Spider has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets.[2]

During C0027, Scattered Spider attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.[3]

Enterprise T1046 Network Service Discovery

During C0027, used RustScan to scan for open ports on targeted ESXi appliances.[3]

Enterprise T1588 .002 Obtain Capabilities: Tool

During C0027, Scattered Spider obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner.[3]

Enterprise T1003 .006 OS Credential Dumping: DCSync

During C0027, Scattered Spider performed domain replication.[3]

Enterprise T1069 .003 Permission Groups Discovery: Cloud Groups

During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and their Active Directory attributes.[3]

Enterprise T1566 .004 Phishing: Spearphishing Voice

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.[3]

Enterprise T1598 Phishing for Information

Scattered Spider has used a combination of credential phishing and social engineering to capture one-time-password (OTP) codes.[2]

.001 Spearphishing Service

During C0027, Scattered Spider sent Telegram messages impersonating IT personnel to harvest credentials.[3]

.004 Spearphishing Voice

During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.[3]

Enterprise T1572 Protocol Tunneling

During C0027, Scattered Spider used SSH tunneling in targeted environments.[3]

Enterprise T1090 Proxy

During C0027, Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.[3]

Enterprise T1219 Remote Access Software

During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.[3]

Enterprise T1021 .007 Remote Services: Cloud Services

During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.[3]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Scattered Spider has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.[2]

Enterprise T1078 .004 Valid Accounts: Cloud Accounts

During C0027, Scattered Spider leveraged compromised credentials from victim users to authenticate to Azure tenants.[3]

Enterprise T1102 Web Service

During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.[3]

Enterprise T1047 Windows Management Instrumentation

During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.[3]

Software

References