Scattered Spider Hops Nimbly From Cloud to On-Prem in Complex Attack
The actor behind the high-profile MGM incident jumps across segmentations in under an hour, in a ransomware attack spanning Okta, Citrix, Azure, SharePoint, and more.
November 22, 2023
The group behind the high-profile MGM cyberattack in September has resurfaced in yet another sophisticated ransomware attack, in which the actor pivoted from a third-party service environment to the target organization's on-premise network in only an hour.
The attack by Scattered Spider, an ALPHV/Black Cat ransomware affiliate, sealed the group's position as a formidable adversary for large enterprises with a nimble ability to target the enterprise through their cloud service providers, according to a report by ReliaQuest published on Nov. 22.
Tactics demonstrated were similar to the ones that took down MGM's network, with the group using credentials to an Okta single-sign-on agent stolen from a help-desk employee to enter a third-party cloud environment and move onto the enterprise network from there, the researchers revealed.
"During the investigation, the initial-access vector was unclear, but weeks later, the customer reported that the intrusion was attributed to a social-engineering attack, in which the user's credentials were reset by the attackers," according to the report. "This tactic of social engineering strongly aligns with Scattered Spider's previous tactics, techniques, and procedures (TTPs), which are used to elicit valid account credentials from a target."
Manipulating MFA in Fatigue Attacks
Specifically, attackers used a socially-engineered MFA fatigue attack —in which they used the valid account credentials to attempt four MFA challenges within two minutes. The last resulted in successful authentication, with a "new device sign-in" being observed from Florida IP address 99.25.84[.]9 that was used to reset a legitimate Okta user's credentials to access the environment of a cloud service provider.
Attackers then quickly transitioned to the on-premise enterprise environment, where they authenticated to Citrix Workspace via the IT administrator's Okta credentials and again were prompted to complete MFA. The prompt was sent to the newly registered device under the group's control, allowing attackers to access the workspace and move on from there to conduct other nefarious activities on various parts of the customer infrastructure.
These activities included hijacking of Citrix sessions and privilege elevation, by creating a highly privileged user in the form of a fake security architect user, enabling attackers to move laterally at will across Azure, SharePoint, and other critical assets in the environment, the researchers said.
Scattered Spider ultimately used a combination of TTPs — including social engineering of help-desk employees, identity as-a-service (IDaaS) cross-tenant impersonation, file enumeration and discovery, abuse of specific enterprise applications, and use of persistence tools — to achieve widespread encryption and exfiltration of data from the targeted network.
Scattered Spider Evolves to Be a Formidable Adversary
The incident demonstrated the scale and operational capability of Scattered Spider, which in a short time has shown sophistication in its abuse of resources in compromised environments, which span various sectors and regions. Moreover, the danger is that other threat actors will learn from their tactics and mount copycat attacks, the researchers noted.
"Scattered Spider pivots and targets applications with remarkable precision, using access to internal IT documentation for extremely efficient lateral movement," according to the report. "As other threat actors become more sophisticated and learn from successful patterns, they will be able to exploit similar TTPs."
Indeed, if the MGM attack was any indication, attacks by Scattered Spider can cause catastrophic damage to an enterprise network and should be taken extremely seriously. Systems across the conglomerate's more than 30 hotels and casinos around the globe were offline for more than 10 days, resulting in a loss of tens of millions of dollars in revenue in addition to the $15 million in ransom the company shelled out to unlock systems.
Moreover, while law enforcement authorities like the FBI are well aware of the threat group and have amassed volumes of data on its activities, they so far have been unable to disrupt its activities — which remains a point of contention in the security community.
Enterprise Defense Against a Significant Cyber Threat
ReliaQuest has offered a number of actions enterprises can take to avoid being compromised by the nimble group as they remain on their own to defend against it.
One is to adhere to the "principle of least privilege," particularly given the misuse of Okta super administrator credentials, the researchers said. Enterprises should restrict the super administrator role, as it grants the potential to alter various settings, such as to register an external identity provider, or deactivate strong authentication requirements.
"Users assigned to this role should use a form of MFA that demonstrates substantial resistance to MFA bypass attacks," according to the report. In this case, new signons, or the enrollment of an MFA factor for super administrator accounts, should be accompanied by a notification. This recommendation should also apply to access to internal IT documentation — to which many organizations do not adequately limit access, the researchers said.
Given that Scattered Spider often uses social-engineering manipulation of a help-desk employee for initial access to the cloud, the researchers also recommend that help-desk adhere to rigorous policies concerning the verification of end users' identities, particularly for procedures involving the reset of credentials or MFA factors. These include implementing a challenge-response process or mandating user identity confirmation prior to any help-desk action.
Overall, groups like Scattered Spider require that enterprise defenders prioritize constant vigilance by strengthening security protocols, conducting regular assessments, and staying informed about emerging threats, the researchers concluded.
About the Author
You May Also Like