Scattered Spider Pivots to SaaS Application Attacks

Microsoft last year described the threat actor — known as UNC3944, Scattered Spider, Scatter Swine, Octo Tempest, and 0ktapus — as one of the most dangerous current adversaries.

4 Min Read
digital spider in a virtual environment
Alamy

This article originally appeared on Dark Reading.

The recent attacks on customer accounts hosted on the Snowflake data warehousing platform could signal a broader shift among threat actors to targeting software-as-a-service (SaaS) application environments.

A recent Mandiant report highlighted another large threat actor that has begun going after enterprise data in SaaS applications in a broadening of its usual focus on Microsoft cloud environment and on-premises infrastructure. The threat actor, which Mandiant is tracking as UNC3944, is an English-language speaking group that other vendors have been tracking variously as Scattered Spider, Scatter Swine, Octo Tempest, and 0ktapus.

UNC3944: A Dangerous Cyber Adversary

The group's more recent capers have included a ransomware attack that knocked numerous critical systems offline for days at MGM Resorts last year and another that targeted Caesars Entertainment, which reportedly paid millions of dollars to the group to get back access to its data. The likely US- or UK-based threat actor is known for its SIM-swapping tactics and highly sophisticated credential-phishing skills, which include calling into enterprise help desks and resetting Okta credentials to take over accounts. Microsoft last year categorized UNC3944 as one of the most dangerous financially motivated cyber-threat groups active currently.

Related:Hackers Demand as Much as $5 Million From Snowflake Clients

According to Mandiant, UNC3944 has broadened its focus to data in enterprise SaaS applications over the past 10 months or so. 

"In addition to traditional on-premises activity, Mandiant observed pivots into client SaaS applications," according to the security vendor's analysis. In many of these attacks the threat actor has used stolen credentials to access SaaS applications protected by single sign-on providers such as Okta. "Mandiant observed unauthorized access to such applications as vCenter, CyberArk, Salesforce, Azure, CrowdStrike, AWS, and Google Cloud Platform."

After gaining access to these environments, the threat actor has typically conducted at least some reconnaissance activity using a variety of methods, including Microsoft's Delve, to search for data in Microsoft 365 environments. The threat actor has then stolen data from these apps and transferred the data to cloud storage resources such as Amazon S3 buckets, using Airbyte, Fivetran, and other cloud synchronization utilities.

"These applications required only credentials and a path to the resources to sync the data to an external source automatically, often without the need for a subscription or expensive costs," Mandiant researchers said.

Related:London Hospitals Knew of Cyber Vulnerabilities Years Before Hack

Sophisticated Social Engineering Tactics

Phishing and social engineering remains one of the group's primary methods to acquire credentials for accessing enterprise SaaS accounts. In attacks that Mandiant observed, UNC3944 actors made voice calls in clear English to help desk staff to get their assistance in gaining access to privileged accounts. In many of these calls, the adversary appeared to possess the detailed personal information — such as the last four digits of the victim's Social Security number, dates of birth, and manager information — required to pass the help desk administrator's initial user authentication checks.

"The level of sophistication in these social engineering attacks is evident in both the extensive research performed on potential victims and the high success rate in said attacks," Mandiant researchers said.

Mandiant's report highlighted UNC3944's creation of new virtual machines in victim environments as a particularly effective persistence mechanism. The threat actor's modus operandi is to use single sign-on (SSO) apps to access VMware vSphere and Microsoft Azure cloud environments.

"The importance here is the observation of abusing administrative groups or normal administrator permissions tied through SSO applications to then create this method of persistence," according to the report.

Leveraging VMs for Persistence

After creating a new virtual machine, the threat actor has used specific tools to reconfigure the VMs to remove default Microsoft Defender protections and telemetry that would be of use in a forensic investigation. In situations where the compromised environment might not have any endpoint monitoring, the threat actor has downloaded multiple tools to the new VMs, including credential extraction utilities such as Mimikatz and ADRecon, and tunneling tools such as NGROK and RSOCX. Such tools allow UNC3944 to access the virtual machine without requiring any multifactor authentication (MFA) or VPN, according to Mandiant.

Mandiant's recommendations for organizations include using host-based certificates and MFA for VPN access, and creating strict conditional access policies to limit what is visible inside a cloud tenant.

According to the report, Mandiant recommends "heightened monitoring of SaaS applications, to include centralizing logs from important SaaS-based applications, MFA re-registrations, and virtual machine infrastructure, specifically about both uptime and the creation of new devices."

Read more about:

Dark Reading

About the Authors

Jai Vijayan

Contributing writer, Dark Reading

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a senior editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics including big data, Hadoop, Internet of Things, e-voting and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a master's degree in statistics and lives in Naperville, Illinois.

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like