Scattered Spider Hackers Target Cloud Apps for Data Theft

The Scattered Spider gang, also known as Octo Tempest, 0ktapus, Scatter Swine, and UNC3944, has shifted its focus to stealing data from software-as-a-service (SaaS) applications and creating new virtual machines to establish persistence in their attacks.

Traditionally known for social engineering tactics such as SMS phishing, SIM swapping, and account hijacking to gain on-premise access, Scattered Spider is a loose collective of English-speaking cybercriminals. These individuals collaborate on breaches, data theft, and extortion, often frequenting the same Telegram channels, hacking forums, and Discord servers.

Despite reports suggesting Scattered Spider operates as an organized gang, it is more accurately described as a collective of cybercriminals who collaborate based on their skills. Some members work together more frequently, but it is common for them to switch collaborators depending on the task at hand.

Google’s cybersecurity firm reported that Scattered Spider’s tactics, techniques, and procedures (TTPs) have expanded to include cloud infrastructure and SaaS applications. This shift allows them to steal data for extortion without the need for ransomware, broadening their range of targeted industries and organizations.

The gang primarily relies on social engineering techniques aimed at corporate help desk agents to gain initial access to privileged accounts. Scattered Spider members are well-prepared with personal information, job titles, and manager names to bypass verification processes, often posing as legitimate users needing assistance with resetting multi-factor authentication (MFA) for new devices.

Once inside a victim’s environment, Scattered Spider uses Okta permissions associated with compromised accounts to access the victim company’s cloud and SaaS applications. For persistence, they create new virtual machines on vSphere and Azure, utilizing admin privileges to disable security protections.

They also disable Microsoft Defender and other telemetry features in Windows, allowing them to deploy tools for lateral movement, such as Mimikatz and the IMPACKET framework, along with tunneling utilities like NGROK, RSOCX, and Localtonet. These tools enable access without the need for VPN or MFA verification.

To move victim data to their cloud storage, Scattered Spider uses legitimate cloud syncing tools like Airbyte and Fivetran, transferring data to reputable services such as Google Cloud Platform (GCP) and Amazon Web Services (AWS).

The gang conducts reconnaissance and data mining in various client SaaS applications, including vCenter, CyberArk, Salesforce, Azure, CrowdStrike, AWS, Workday, and GCP. They have used the Microsoft Office Delve search and discovery tool for Microsoft Office 365 to identify active projects, discussions of interest, and confidential information.

Furthermore, Scattered Spider utilizes endpoint detection and response (EDR) solutions to test their access within the environment. They create API keys in CrowdStrike’s external console and execute commands like whoami and quser to gather information on currently logged-in users and sessions on Remote Desktop Session Host servers.

In their attacks, Scattered Spider also targets Active Directory Federated Services (ADFS) to extract certificates. Coupled with a Golden SAML attack, this enables them to gain persistent access to cloud-based applications, further enhancing their ability to steal data and evade detection.

To defend against Scattered Spider hackers, organizations must bolster their security posture with a combination of advanced threat detection and response systems, and robust access management policies. Enforce strict multi-factor authentication (MFA) for all accounts, especially those with elevated privileges. Educate staff on social engineering techniques and implement strong incident response plans.