SCATTERED SPIDER, a ransomware group, leverages cloud infrastructure and social engineering to target insurance and financial institutions by using stolen credentials, SIM swaps, and cloud-native tools to gain and maintain access, impersonating employees to deceive victims.
Their partnership with BlackCat has enhanced their ability to target Western organizations due to their understanding of Western business practices.
It frequently exploits leaked cloud authentication tokens to gain unauthorized access to corporate networks, which are often inadvertently exposed in public repositories, providing attackers with a means to automate and scale their attacks against cloud infrastructure.
It is using phishing and smishing campaigns to target high-privileged accounts in cloud services like Microsoft Entra ID and AWS EC2 and also targeting SaaS platforms like Okta, ServiceNow, and VMware Workspace ONE using phishing pages that mimic SSO portals.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
Smishing campaigns are used to trick victims into clicking malicious links that lead to phishing websites aimed at stealing login credentials and intercepting OTPs.
Credential stealers are used by SCATTERED SPIDER to harvest cloud service authentication tokens from victims’ devices, which are then sold on underground forums, allowing attackers to gain unauthorized access to cloud resources like AWS, Azure, and GCP.
SCATTERED SPIDER employs SIM swapping to bypass MFA on SaaS applications, gaining access to cloud infrastructures.
Threat actors create unauthorized VMs to evade detection and steal data, abusing legitimate cloud tools for remote command execution and data transfer.
Telecom Enemies, a DaaS group, offers phishing kits and tools like Gorilla Call Bot. SCATTERED SPIDER members use their services for malicious activities, targeting various services like Coinbase and Gmail.
Telecom Enemies’ tools are widely promoted on Telegram and sold on underground forums, with members specializing in web app exploitation, network infiltration, and malware development.
By employing open-source tools to gather information from cloud environments, it focuses on Active Directory and Microsoft 365, which are aimed at identifying valuable data, compromising additional accounts, escalating privileges, and moving laterally across the network.
The attackers target password management tools, network architecture, VDI/VPN configurations, PAM solutions, personnel information, third-party data, and extortion-related data.
It leverages Cross-Tenant Synchronization (CTS) and federated identity providers to maintain persistent access in Microsoft Entra ID environments.
Attackers compromise privileged accounts to configure CTS and create malicious federated domains, allowing them to provision malicious accounts and generate forged authentication tokens.
According to EclecticIQ, they also employ RMM tools and protocol tunneling to establish remote connections and bypass network defenses.
SCATTERED SPIDER employs various techniques to evade detection and disable security measures, including using residential proxies, disabling security tools, creating virtual machines, and exploiting cloud identity systems.
Employing automated scripts to target VMware ESXi and Azure compromises security by altering root passwords and disabling tools before encrypting data.
Organizations can mitigate risks by strengthening authentication, closely monitoring suspicious activity, and implementing comprehensive cloud security measures.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar