{"id":5278,"date":"2024-09-12T14:55:57","date_gmt":"2024-09-12T19:55:57","guid":{"rendered":"https:\/\/www.darkreading.com\/cloud-security\/socially-savvy-scattered-spider-traps-cloud-admins-in-web"},"modified":"2024-09-12T14:55:57","modified_gmt":"2024-09-12T19:55:57","slug":"socially-savvy-scattered-spider-traps-cloud-admins-in-web","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/09\/12\/socially-savvy-scattered-spider-traps-cloud-admins-in-web\/","title":{"rendered":"Socially Savvy Scattered Spider Traps Cloud Admins in Web"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

One of the world’s most dangerous ransomware groups has been applying its hallmark savvy social engineering to targeted, sophisticated phishing attacks against <\/span>financial and insurance companies<\/a><\/span>, aiming to steal high-level permissions to cloud-based environments to ultimately deliver ransomware.<\/span><\/p>\n

Scattered Spider has been using SMS and voice phishing \u2014 or smishing and vishing, respectively \u2014 attacks to target target high-privileged accounts, such as those of IT service desk administrators and cybersecurity teams. Attackers use the stolen credentials to compromise cloud-based services and ultimately gain access to victim environments for ransomware attacks, according to researchers at EclecticIQ.<\/span><\/p>\n

“Scattered Spider frequently uses phone-based social engineering techniques \u2026 to deceive and manipulate targets, mainly targeting IT service desks and identity administrators,” EclecticIQ Threat Intelligence Analyst Arda B\u00fcy\u00fckkaya wrote <\/span>in a recent analysis<\/a><\/span>. “The actor often impersonates employees to gain trust and access, manipulate MFA settings, and direct victims to fake login portals.”<\/span><\/p>\n

The attacks are so well-crafted that they often prompt unsuspecting identity administrators in charge of cloud infrastructures to enter credentials for VMware Workspace ONE, an application management and identity access policy platform, so attackers can gain unauthorized access even to accounts protected by multifactor authentication (MFA), B\u00fcy\u00fckkaya said.<\/span><\/p>\n

Cloud Services, SaaS in the Crosshairs<\/h2>\n

Other ways Scattered Spider gains persistent access to cloud enviroments is to purchase stolen credentials, execute SIM swaps, and use cloud-native tools. In fact, the threat group is leveraging legitimate features of cloud infrastructure to carry out its nefarious activities, making their operations increasingly difficult to detect and counter, B\u00fcy\u00fckkaya noted.<\/span><\/p>\n

“The cybercriminal group abuses legitimate cloud tools such as Azure\u2019s Special Administration Console and Data Factory to remotely execute commands, transfer data, and maintain persistence while avoiding detection,” he wrote.<\/span><\/p>\n

The attacks observed by EclecticIQ targeted cloud-based services like Microsoft Entra ID and Amazon Web Services Elastic Computer Cloud, as well <\/span>software as a service (SaaS) platforms<\/a><\/span> such as Okta, ServiceNow, Zendesk, and VMware Workspace ONE “by deploying phishing pages that closely mimic single sign-on (SSO) portals,” B\u00fcy\u00fckkaya wrote. These pages are delivered via socially engineered attacks that appear highly convincing \u2014 so much so that they even can fool cloud security engineers.<\/span><\/p>\n

Spinning a Complex Attack Web<\/h2>\n

Scattered Spider, known also by Octo Tempest, made a significant name for itself in the ransomware game rather quickly. The group arrived on the scene in 2022 armed with sophisticated social-engineering techniques, an aptitude for understanding the psychology of Western business minds, and a command of native English \u2014 all of which it used as part of its heavy artillery. The group soon became infamous for the massive <\/span>ransomware attacks on Caesars Palace and MGM Entertainment<\/a><\/span> about a year later.<\/span><\/p>\n

Scattered Spider teamed with BlackCat\/Alphv ransomware early on but became a ransomware-as-a-service (RaaS) affilitate of <\/span>RansomHub and Qilin<\/a><\/span> earlier this year, after BlackCat\/Alphv unceremoniously <\/span>went dark in March<\/a><\/span>, leaving affiliates in the lurch.<\/span><\/p>\n

Of late, Scattered Spider has had global law enforcement, including the FBI, hot on its trail, and <\/span>UK officials recently arrested<\/a><\/span> a 17-year-old from the town of Walsall, UK, in July for his connection to the group.<\/span><\/p>\n

The attacks outlined by EclecticIQ are the result of analysis conducted between 2023 and the second quarter of 2024, so it’s as yet unclear how active Scattered Spider has been since that arrest. However, the research sheds new light on the complex web of attacks the group is capable of spinning to leverage identity compromise to target cloud environments successfully, the researchers noted.<\/span><\/p>\n

Defense and Mitigation<\/h2>\n

EclecticIQ developed a specific framework outlining the ransomware deployment life cycle to help defenders thwart attacks by detailing the techniques used by the threat actor to infiltrate, persist, and execute ransomware within cloud environments. The accessibility of the cloud makes it a prime target for financially motivated criminals and has been the secret to success for Scattered Spider and other ransomware actors, according to B\u00fcy\u00fckkaya.<\/span><\/p>\n

The company made a sweeping set of recommendations for organizations in terms of prevention, detection, and incident response that relate to but are not limited to: secure authentication; monitoring and alerts; hypervisor cloud resource security; firewall and network security; and other key and varied aspects that comprise an enterprise cloud environment.<\/span><\/p>\n

Other recommendations made specifically focused on Scattered Spider’s tendency to use phishing as its key method for initial access, advising organizations to regularly monitor for <\/span>typosquatting domains<\/a><\/span>. This includes their own organization\u2019s legitimate domains, especially those targeting their own cloud environments.<\/span><\/p>\n

“Proactively secure these domains to prevent phishing attacks and social engineering tactics,” B\u00fcy\u00fckkaya advised.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

One of the world’s most dangerous ransomware groups has been<\/p>\n","protected":false},"author":12,"featured_media":5279,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-5278","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/socially-savvy-scattered-spider-traps-cloud-admins-in-web.png?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/socially-savvy-scattered-spider-traps-cloud-admins-in-web.png?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/socially-savvy-scattered-spider-traps-cloud-admins-in-web.png?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/socially-savvy-scattered-spider-traps-cloud-admins-in-web.png?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/socially-savvy-scattered-spider-traps-cloud-admins-in-web.png?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/socially-savvy-scattered-spider-traps-cloud-admins-in-web.png?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/socially-savvy-scattered-spider-traps-cloud-admins-in-web.png?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/socially-savvy-scattered-spider-traps-cloud-admins-in-web.png?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/socially-savvy-scattered-spider-traps-cloud-admins-in-web.png?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/socially-savvy-scattered-spider-traps-cloud-admins-in-web.png?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/socially-savvy-scattered-spider-traps-cloud-admins-in-web.png?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5278"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5278\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/5279"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}