The well-known Scattered Spider threat group has evolved its tactics to target software-as-a-service (SaaS) applications for data theft and using “a more aggressive method of persistence” leveraging virtualization platforms.
Scattered Spider (also known as UNC3944) has been active since at least May 2022 and was behind several high-profile attacks, including ones on Caesars Entertainment and MGM Resorts. The group initially focused on credential harvesting and SIM swapping attacks before moving to ransomware and data theft extortion. Now, Mandiant researchers said that the group is focusing primarily on data theft extortion, a change that has “precipitated an expansion of targeted industries and organizations.”
As part of this shift, the financially motivated threat group over the past few months “has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse,” according to Mandiant in a Thursday analysis.
“This current attack path highlights, in addition to traditional dangers of sensitive data storage, the dangers of storing data in SaaS-hosted applications,” said Mandiant. “These risks are often overlooked as part of internal security due to traditional SaaS models offloading some risk to the application owner.”
Mandiant’s research, published Thursday, coincided with another report published this week by GuidePoint Security, which highlighted clues of the cybercrime group’s recent activity pointing to how it may have become an affiliate for the RansomHub ransomware-as-a-service operator. Despite these recent changes, the group has continued using its infamous initial access vector of targeting call centers to gain access to privileged accounts.
These attacks have used a sophisticated level of social engineering, including leveraging victims’ compromised PII, in order to bypass the methods used by help desks to verify user identity. Additionally attackers were able to bypass MFA protections by telling service desks they had a new phone and needed an MFA reset. After gaining control of targeted accounts, attackers would conduct reconnaissance via Microsoft applications, targeting internal help guides and documentation for VPNs and remote telework utilities in Sharepoint, for instance.
“SaaS applications pose an interesting dilemma for organizations as there is a gray area of where and who should conduct monitoring to identify issues."
“UNC3944 has also leveraged Okta permissions abuse techniques through the self-assignment of a compromised account to every application in an Okta instance to expand the scope of intrusion beyond on-premises infrastructure to Cloud and SaaS applications,” said Mandiant researchers. “With this privilege escalation, the threat actor could not only abuse applications that leverage Okta for single sign-on (SSO), but also conduct internal reconnaissance through use of the Okta web portal by visually observing what application tiles were available after these role assignments.”
Researchers observed attackers pivoting to SaaS applications like vCenter, CyberArk, Salesforce, Azure, CrowdStrike, AWS, Workday and Google Cloud Platform, in order to perform reconnaissance. The threat actors exfiltrated data from these applications via cloud synchronization tools like Airbyte and Fivetran in order to move data to attacker-owned cloud storage resources (primarily S3 buckets).
Researchers also observed the threat group accessing virtualization platforms like Sphere and Azure in order to create new virtual machines, which they then used to conduct follow-on activities. For example, the group relied on a number of publicly available tools, like privacy-script.bat, in order to reconfigure the VM to deactivate certain policies, such as removing default Microsoft Defender protections or Windows telemetry features that could help with forensic investigations.
“The importance here is the observation of abusing administrative groups or normal administrator permissions tied through SSO applications to then create this method of persistence,” said researchers. “Additionally, a lack of endpoint monitoring allowed the group to download tools such as Mimikatz, ADRecon, and various covert tunneling tools, such as NGROK, RSOCX, and Localtonet. The use of these tools allowed UNC3944 access to the device without the need to use VPN or MFA. Other tooling included the installation of Python libraries, such as IMPACKET.”
In order to limit the impact of these types of operations, researchers recommend that organizations use host-based certificates and MFA for VPN access, and develop strict conditional access policies to control visibility for cloud tenants. At the same time, companies can increase their monitoring capabilities around SaaS applications.
“SaaS applications pose an interesting dilemma for organizations as there is a gray area of where and who should conduct monitoring to identify issues,” said researchers. “For the applications where proprietary or guarded information exists, Mandiant recommends that an organization ensures they have a robust logging capability that their security teams can review for signs of malicious intent.”