Cyble investigates the notorious Scattered Spider APT group, which has recently been in the limelight for compromising major entertainment and hospitality firms in the United States and other key targets worldwide.
Scattered Spider is a cybercriminal group known for targeting large companies and their contracted IT help desks. These Threat Actors(TAs) typically engage in data theft for extortion and have been known to deploy BlackCat/ALPHV ransomware alongside their usual tactics, techniques, and procedures (TTPs). Also referred to as UNC3944, Scattered Spider comprises individuals aged 19 to 22 as of September 2023. The group gained notoriety for hacking Caesars Entertainment and MGM Resorts International, two of the largest casino and gambling companies in the United States. Cybersecurity researchers first coined their name.
Scattered Spider initially gained notoriety by obtaining Okta identity credentials and multifactor authentication (MFA) codes to execute supply chain attacks against Okta’s clients. Over time, their capabilities have expanded to include bring-your-own-vulnerable-driver (BYOVD) attacks and techniques to evade endpoint detection and response products. Known for maintaining a high operational tempo, the group primarily targets firms specializing in customer relationship management, business process outsourcing, telecommunications, and the technology sector. However, they have increasingly been observed targeting global financial institutions.
Country of Origin
The TAs behind the group were recently arrested in the UK and the USA.
Targeted Nations
Scattered Spider is renowned for its operations worldwide.
Aliases
Scattered Spider has various aliases, including UNC3944, 0ktapus, Muddled Libra, Scatter Swine, Storm-0875, Octo Tempest, LUCR-3, and Star Fraud.
Targeted Sectors
Scattered Spider has a diverse array of attack vectors and techniques that can be customized for its targets. So far, the group has been observed attacking the following sectors:
- Telecommunication
- Business Process Outsourcing
- Hospitality
- Retail
- Media and Entertainment
- Financial services
Links to Other APT Groups
Scattered Spider is an affiliate group of ALPHV, BlackCat Gang.
Scattered Spider Lifecycle
Scattered Spider’s attacks typically begin with SMS phishing, phone calls to victim help desks, and SIM swapping. Once they compromise credentials through social engineering techniques, the TAs utilize legitimate software such as AnyDesk and ScreenConnect to maintain persistence. They then employ malicious tools like Mimikatz and secretdump to escalate privileges. Following this, they move laterally through the network using RDP, SSH, and other services. In the final stages, they disable security and recovery services, exfiltrate data, and conduct ransomware operations.
Initial Infection
Scattered Spider has been known to gain initial access to its intended victims primarily via social engineering. SMS phishing campaigns, in particular, are frequently used alongside calls to victim help desks to assist the TAs in obtaining password reset links or MFA bypass codes.
SIM Swapping
Scattered Spider’s tactics often involve SIM-swapping attacks, which are followed by establishing persistence through compromised accounts. Once they have secured persistence, Scattered Spider is known to modify and steal data from within the victim organization’s environment.
SIM swapping, also known as SIM hijacking, occurs when a fraudster manipulates the device linked to a customer’s phone number. This tactic is often used to receive OTPs or one-time security codes from banks, crypto exchanges, and other financial institutions.
Typically, SIM hijacking follows the acquisition of a customer’s personal information through phishing attacks or by purchasing compromised account credentials from dark web marketplaces. Victims often have their email accounts compromised beforehand, enabling threat actors to intercept communications from telecom providers such as Verizon. Phishing involves sending fraudulent requests for personal information, usually posing as a company or government agency.
SMS Phishing
In most of the cases where the initial access vector was identified, Scattered Spider obtained access to the victim’s environment in the wake of a successful smishing attack. Smishing is a type of social engineering attack in which cybercriminals use fraudulent mobile text messages to deceive individuals into installing malware, disclosing sensitive information, or transferring money. The term “smishing” is derived from “SMS,” which stands for “short message service,” the technology powering text messages, and “phishing.” The figure below shows the smishing message received by Cloudflare employees.
Figure 1 – Smishing Message (Source: Cloudflare)
After obtaining credentials, the TAs have impersonated employees in calls to victim organizations’ service desks, attempting to secure multifactor authentication (MFA) codes or password resets. During these calls, they provided the verification information requested by help desk employees, including usernames, employee IDs, and other types of personally identifiable information (PII) associated with the employees.
Phishing Kits
Scattered Spider has utilized phishing kits in their previous campaigns. Between late 2021 and mid-2022, they deployed a phishing kit known as EIGHTBAIT. Starting in Q3 2022, Scattered Spider began launching credential phishing campaigns with a new kit that seems to have been created by copying a webpage from a targeted organization. By mid-2023, they were using a third phishing kit alongside the second one.
Figure 2 – Phishing Page (Source: Google Mandiant)
Exploited Vulnerabilities
The Scattered Spider group has exploited vulnerability CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows in previous attacks.
Persistence
Scattered Spider is particularly focused on maintaining access to targeted environments. While TAs commonly use free or demo versions of Remote Monitoring and Management (RMM) tools, Scattered Spider often installs half a dozen or more to ensure a backdoor remains even if one is discovered. The use of commercial RMM tools is problematic since these legitimate, business-critical applications are frequently used for daily administration in enterprise networks. Observed tools include Zoho Assist, AnyDesk, Splashtop, TeamViewer, ITarian, FleetDeck, ASG Remote Desktop, RustDesk, and ManageEngine RMM.
Defense Evasion
Demonstrating proficiency with numerous security controls, Scattered Spider effectively evaded common defenses. Their tactics include disabling antivirus and host-based firewalls, attempting to delete firewall profiles, creating defender exclusions, deactivating or uninstalling EDR and other monitoring products, and setting up unmanaged cloud virtual machines. They also elevated access in virtual desktop environments and re-enabled existing Active Directory accounts to bypass SIEM monitoring rules. Additionally, Scattered Spider operated within EDR administrative consoles to clear alerts. Prioritizing operational security, they consistently used commercial VPN services to obscure their geographic location, preferring Mullvad VPN but also utilizing ExpressVPN, NordVPN, Ultrasurf, Easy VPN, and ZenMate.
Tools used by Scattered Spider
Scattered Spider employs a diverse range of tools at various stages of their campaigns. These tools include ADRecon, AnyDesk, DCSync, FiveTran, FleetDeck, gosecretsdump, Govmomi, Hekatomb, Impacket, LaZagne, LummaC2, Mimikatz, Ngrok, PingCastle, ProcDump, PsExec, Pulseway, Pure Storage FlashArray, RedLine, Rsocx, RustDesk, ScreenConnect, SharpHound, Socat, Spidey Bot, Splashtop, Stealc, TacticalRMM, Tailscale, TightVNC, VIDAR, WinRAR, WsTunnel, and various Living off the Land techniques.
Figure 3 – Scattered Spider Tools (Source: Cyble Vision)
ADRecon: ADRecon is a tool that extracts and compiles various artifacts from an Active Directory (AD) environment. It generates a specially formatted Microsoft Excel report, which includes summary views with metrics to facilitate analysis. This provides a comprehensive overview of the target AD environment’s current state. TAs use this tool to enumerate victim networks.
DCSync: DCSync is a late-stage kill chain attack that enables an attacker to simulate the behavior of a Domain Controller (DC) to retrieve password data through domain replication. Once TAs gain access to a privileged account with domain replication rights, they can use replication protocols to mimic a domain controller and achieve persistence.
FleetDeck: FleetDeck is a new Remote Desktop & Virtual Terminal solution tailored for techs to securely manage large fleets of computers. TAs use this tool after initial infection to achieve persistence
gosecretsdump: This tool is a Golang conversion of the Impacket secrets dump module, designed for high-speed data extraction. It significantly accelerates operations, reducing processes that typically take hours to just minutes. It can dump SAM/SYSTEM backups and also local SAM/SYSTEM files when run as the user account or SYSTEM.
Hekatomb: Hekatomb is a Python script that connects to an LDAP directory to retrieve information about all computers and users. It then downloads all DPAPI blobs for all users from all computers. Finally, it extracts the domain controller’s private key via RPC and uses it to decrypt all credentials.
Impacket: Impacket is an open-source collection of Python modules designed for programmatically constructing and manipulating network protocols. It includes various tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay cyber attacks.
LaZagne: LaZagne is a post-exploitation, open-source tool designed to recover stored passwords on a system. It features modules for Windows, Linux, and OSX, with a primary focus on Windows systems. LaZagne is publicly available on GitHub and used by TAs.
LummaC2: Lumma Stealer, also known as LummaC2, is a subscription-based information stealer that first emerged in 2022. Written in C, it offers a broad range of capabilities. Primarily used to steal cryptocurrency wallets and sensitive information like usernames and passwords, Lumma Stealer also has the functionality to deliver additional payloads.
Mimikatz: Mimikatz offers a comprehensive suite of tools for collecting and utilizing Windows credentials on target systems. It enables the retrieval of cleartext passwords, Lan Manager hashes, NTLM hashes, certificates, and Kerberos tickets. These tools are effective across all Windows versions from XP onward, though functionality may be somewhat limited in Windows 8.1 and later versions.
Ngrok: Ngrok creates secure tunnels to expose local servers behind NATs and firewalls to the public internet, which helps TAs evade network-based detections.
ProcDump: ProcDump is a command-line utility for monitoring CPU spikes and generating crash dumps, aiding in diagnosing issues. However, TAs could exploit it to monitor ransomware and exfiltration operations to evade detection from EDR solutions.
Pulseway: Pulseway is a remote monitoring and management (RMM) software designed to help managed service providers (MSPs) and IT teams minimize downtime and set new efficiency standards through automation. TAs use this tool to achieve persistence in the victim system.
RedLine: RedLine Stealer, first identified in 2020, is one of the most notorious stealers available. It utilizes a Simple Object Access Protocol (SOAP) for communication with its command-and-control center and supports various plugins. RedLine Stealer collects data from browsers, email applications, and cryptocurrency wallets and is often linked to sophisticated phishing campaigns that can deliver additional payloads such as ransomware or advanced malware.
Rsocx: A high-performance SOCKS5 proxy server featuring support for both bind and reverse proxying. TAs use this tool as a proxy server for C&C communication.
RustDesk: RustDesk is a fully-featured, open-source remote control solution designed for self-hosting and security with minimal configuration required. TAs use this tool to achieve persistence in the victim system.
SharpHound: A C# rewrite of the BloodHound Ingestor. Bloodhound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment. TAs use this tool to enumerate the AD network.
Spidey Bot: Spidey Bot is a relatively uncommon information stealer that first appeared in 2019. It is designed to extract stored passwords and other data from various sources within infected environments. The information targeted can include VPN credentials, internet browsers, email clients, gaming software, and cryptocurrency data.
Stealc: Stealc is a relatively new malware family, first observed in early 2023. It is known as a copycat information stealer, featuring a suite of functionalities reminiscent of VIDAR, Raccoon, Mars, and RedLine stealers. By default, Stealc targets data from web browsers, browser extensions, cryptocurrency applications, and email messaging software.
TacticalRMM: Tactical RMM is a remote monitoring and management tool developed using Django and Vue.
VIDAR: Vidar is a derivative of Arkei malware, notable for being among the first to target information from 2FA software and the Tor Browser. The TAs use this tool as a payload after the initial infection.
WsTunnel: Wstunnel utilizes the WebSocket protocol, which is compatible with HTTP, to bypass firewalls and proxies. It enables TAs to tunnel malicious traffic and access the resources or sites you need without detection.
Network Activities
In several instances, Muddled Libra sought to establish reverse proxy shells or SSH tunnels for command-and-control exfiltration. They utilized tunneling software like RSocx and employed common file transfer sites such as put[.]io, transfer[.]sh, wasabi[.]com, and gofile[.]io for data exfiltration and to retrieve attack tools. Additionally, they were observed using Cyberduck as a file transfer agent.
Conclusion
The Scattered Spider campaign reveals a highly adaptive and persistent threat actor group. Their use of sophisticated tactics, including SMS phishing, SIM swapping, and credential theft, coupled with the deployment of various legitimate and malicious tools, highlights their capability to bypass traditional security measures. The group’s methods for maintaining access and evading detection—such as deploying multiple remote management tools and using commercial VPNs—demonstrate their operational complexity.
Recommendations:
To counter the Scattered Spider campaign effectively, consider implementing the following recommendations:
Enhance Phishing Defenses: Deploy advanced anti-phishing solutions and train employees to recognize and report phishing attempts. Implement multi-factor authentication (MFA) to reduce the risk of credential theft.
Monitor and Manage Remote Tools: Regularly audit and manage remote monitoring and management (RMM) tools. Restrict the installation of unauthorized software and monitor for unusual activity.
Strengthen SIM Security: Educate users about the risks of SIM swapping and implement measures to secure mobile accounts, such as contacting mobile carriers to set up additional security features.
Improve Incident Response: Develop and regularly update an incident response plan to swiftly address and contain breaches. Conduct regular security drills to ensure readiness.
Regularly Update Systems: To mitigate vulnerabilities, ensure that all systems and software are up-to-date with the latest security patches.
Monitor Network Traffic: Implement advanced network monitoring tools to detect and respond to suspicious activities, including the use of VPNs and tunneling protocols.
Review Access Controls: Implement and rigorously uphold stringent access restrictions, guaranteeing that solely individuals with proper authorization can access vital systems and information.
Utilize Threat Intelligence: Leverage threat intelligence feeds to stay informed about emerging threats and tactics used by groups like Scattered Spider.
Implementing these recommendations can help organizations enhance their defenses against Scattered Spider’s sophisticated tactics and improve their overall cybersecurity posture.
MITRE Attack Techniques Associated with Scattered Spider
Figure 4 – MITRE ATT&CK (Source: Cyble Vision)
Phishing (T1566): Scattered Spider obtains credentials by SMS phishing and phone calls to victim help desks.
Valid Accounts (T1078): They gain access through compromised credentials and social engineering.
Command and Scripting Interpreter (T1059): They use tools like Mimikatz and PowerShell for executing commands and scripts.
Create Account (T1136): They may create or use existing accounts to maintain access.
Disable or Modify Security Tools (T1562): To avoid detection, they disable antivirus, firewalls, and EDR systems.
Credential Dumping (T1003): They use tools like Mimikatz and secretsdump to extract credentials.
Remote Desktop Protocol (RDP) (T1076): They move laterally using RDP and SSH.
