Scattered Spider hops nimbly from cloud to on-prem in complex attack

Elizabeth Montalbano, Dark Reading

November 27, 2023

2 Min Read
Scattered Spider hops nimbly from cloud to on-prem in complex attack

The group behind the high-profile MGM cyberattack in September has resurfaced in yet another sophisticated ransomware attack, in which the actor pivoted from a third-party service environment to the target organization’s on-premise network in only an hour.

The attack by Scattered Spider, an ALPHV/Black Cat ransomware affiliate, sealed the group’s position as a formidable adversary for large enterprises with a nimble ability to target the enterprise through their cloud service providers, according to a report by ReliaQuest published on Nov. 22.

Tactics demonstrated were similar to the ones that took down MGM’s network, with the group using credentials to an Okta single-sign-on agent stolen from a help-desk employee to enter a third-party cloud environment and move onto the enterprise network from there, the researchers revealed.

“During the investigation, the initial-access vector was unclear, but weeks later, the customer reported that the intrusion was attributed to a social-engineering attack, in which the user’s credentials were reset by the attackers,” according to the report. “This tactic of social engineering strongly aligns with Scattered Spider’s previous tactics, techniques, and procedures (TTPs), which are used to elicit valid account credentials from a target.”

Manipulating MFA in Fatigue Attacks

Specifically, attackers used a socially-engineered MFA fatigue attack —in which they used the valid account credentials to attempt four MFA challenges within two minutes. The last resulted in successful authentication, with a “new device sign-in” being observed from Florida IP address 99.25.84[.]9 that was used to reset a legitimate Okta user’s credentials to access the environment of a cloud service provider.

Attackers then quickly transitioned to the on-premise enterprise environment, where they authenticated to Citrix Workspace via the IT administrator’s Okta credentials and again were prompted to complete MFA. The prompt was sent to the newly registered device under the group’s control, allowing attackers to access the workspace and move on from there to conduct other nefarious activities on various parts of the customer infrastructure.

These activities included hijacking of Citrix sessions and privilege elevation, by creating a highly privileged user in the form of a fake security architect user, enabling attackers to move laterally at will across Azure, SharePoint, and other critical assets in the environment, the researchers said.

Scattered Spider ultimately used a combination of TTPs — including social engineering of help-desk employees, identity as-a-service (IDaaS) cross-tenant impersonation, file enumeration and discovery, abuse of specific enterprise applications, and use of persistence tools — to achieve widespread encryption and exfiltration of data from the targeted network.

To read the complete article, visit Dark Reading.

 

Subscribe to receive Urgent Communications Newsletters
Catch up on the latest tech, media, and telecoms news from across the critical communications community