An inside look at a Scattered Spider cyber attack

Threat researchers at ReliaQuest have shared intelligence on how one of the organisation’s customers was impacted by a cyber attack originating via the Scattered Spider group that has made a speciality of abusing identity and authentication services to attack its victims, and has left cops struggling to respond.

The highly dangerous English-speaking group is also tracked by names such as UNC3944, 0ktapus, Scatter Swine and Octo Tempest, and is known for targeted, precision attacks and aggressive tactics, even resorting to threats of violence against its victims. It also recently became an affiliate of the ALPHV/BlackCat ransomware gang, a very unusual development.

“Scattered Spider recently emerged as a significant cyber crime group focused on compromising large enterprises,” wrote ReliaQuest’s James Xiang in a whitepaper published today.

“This report highlights the scale and operations of the group, which have spanned various sectors and regions. The group has also demonstrated the ability to abuse resources in compromised environments, discovering additional attack vectors to infiltrate deeper.

“Scattered Spider’s TTPs [tactics, techniques and procedures] are highly significant to the wider threat landscape and ReliaQuest customers, as attacks are being aided by gaps in identification and insufficient help-desk user verification policies,” he said. “Scattered Spider pivots and targets applications with remarkable precision, using access to internal IT documentation for extremely efficient lateral movement.

“As other threat actors become more sophisticated and learn from successful patterns, they will be able to exploit similar TTPs,” said Xiang. “Considering the high threat posed by Scattered Spider and similarly sophisticated and skilled groups – and the potential severe consequences – organisations should take appropriate measures to protect themselves.”

The customer, whose identity cannot be disclosed, was first alerted to the group’s activity in early September, when an automated retroactive indicator of compromise (IoC) threat hunt found an IP address the gang had previously used to perform exfiltration. Additional probing found more evidence of the gang’s tools, and some new TTPs.

How the attack unfolded

Scattered Spider’s initial access vector was through the customer’s cloud environment, where it was able to gain access to an IT admin account using Okta single sign-on (SSO), having reset their credentials in a social engineering attack.

With these credentials acquired, they conducted what is known as a multi-factor authentication (MFA) fatigue attack whereby the victim was bombarded with MFA challenges – four in the space of two minutes – the last of which resulted in successful authentication and the subsequent sign-on of a new device from a Florida-based IP address later identified as an IoC by Okta.

Notably, in using a US IP address with no connection to VPN infrastructure, Scattered Spider was able to evade rules that raise alerts of sign-ons from dodgy locations or infrastructure, likely an operational security (opsec) move. They were successful in this because Okta did not flag the sign-on.

They then enrolled a new MFA device to achieve persistence, and used the Okta SSO dashboard to pivot to the victim’s Microsoft 365 and Microsoft Azure Active Directory (AD). In the process of this, they sought out files and directories in the victim’s SharePoint platform that gave up more information, enabling them to dig deeper. This information, including information on the victim’s virtual desktop infrastructure (VDI), privileged IAM and password management policies, virtualisation servers, network architecture, and even their cyber planning and budgeting documents.

Scattered Spider then pivoted again, using Okta SSO to authenticate to Citrix Workspace – with the expected MFA challenge going to the device they had enrolled. ReliaQuest said it had found evidence the gang conducted additional actions in the on-premise environment after accessing Citrix.

“The surprisingly swift transition from the cloud environment to the on-premise environment is a unique attack path, indicating the group members’ advanced knowledge of both environments,” said Xiang.

“This in-depth understanding stems from a combination of pre-existing knowledge and additional information gleaned from files and documents during the intrusion. The time it took the group to pivot from the customer’s cloud environment to their on-premise environment was less than one hour.”

Among the events originating from the Citrix compromise were access to a file held in the victim’s AWS S3 bucket, which enabled them to gain access to the victim’s LastPass vault. ReliaQuest’s investigators also observed several application crashes, likely a result of Scattered Spider attempting to deploy a beacon, suspicious process execution events linked to attempts at process injection and the use of remote desktop protocol (RDP) to jump between hosts.

Meanwhile, at Okta

The gang then changed its focus back to Okta, leveraging the account of an infrastructure architect who also served as the customer’s virtualisation engineer, and authenticating via MFA from the same Floridian IP address observed before. This user also checked out CyberArk credentials for a VMware VCenter credentials folder.

Meanwhile, a second IT admin account authenticating from the same IP address went after the victim’s Okta and Azure AD admin settings – both these accounts were likely hijacked via MFA fatigue. The admin account was blocked by Okta for doing too much too quickly and violating its rate limits, but was later able to access Okta system admin pages and performed a number of suspicious actions in Azure AD, too, configuring API access, updating Azure Portal settings, and even making billing changes.

The next day, the architect’s account was observed configuring Okta with a secondary identity provider (IdP) which enabled cross-tenant Okta impersonation of a privileged user. ReliaQuest explained this would allow them to authenticate to the victim’s Okta environment through their own IdP, and as such gain the ability to impersonate and use any Okta account, strengthening their persistence still further.

In the event, they used the new IdP to authenticate as a security architect, although in doing so they misconfigured how the external IdP matches user attributes to the victim’s Okta tenant, which threw errors for them later on.

Then, with compromised service accounts for the victim’s Azure SQL Data Warehouse to hand, it was back to the on-premise environment, where Scattered Spider downloaded multiple tools to achieve persistence and exfiltrate data, including multiple remote monitoring and management (RMM) tools, reverse proxies, and so on, often from legitimate websites and default GitHub repos. Final exfiltration of the victim’s data was then observed via the original IP address observed in the initial threat hunt, at which point ReliaQuest’s analysis reached its conclusion – although, it said, “further reporting by the customer indicates that the attackers successfully accomplished their objectives of data exfiltration and widespread encryption.”

Xiang said: “We predict, with high confidence, that attacks from Scattered Spider will persist into the long term (beyond one year). The group’s ongoing activity is a testament to the capabilities of a highly skilled threat actor or group having an intricate understanding of cloud and on-premise environments, enabling them to navigate with sophistication.

“We recently observed another intrusion that seems to be associated with Scattered Spider,” he concluded. “The attacker employed the same social-engineering and file-discovery actions as seen in previous Scattered Spider attacks. Although they were unable to access critical resources, it is evident that as long as Scattered Spider’s preferred initial access vectors remain unmitigated, attacks will continue.”

ReliaQuest recommendations

ReliaQuest has provided a number of detection rules geared to the attack vectors seen in the above intrusion, available here, and has set out a number of recommendations. These include:

  • Paying more attention to centralised logging and visibility to establish a more comprehensive view of what’s going on (and timeline for investigators), given the rapid switching from cloud to on-premise environments;
  • Adhering to principles of least privilege – especially important given the misuse of Okta super admin rights;
  • And introducing much stricter verification policies for valuable IT helpdesk identities, particularly when it comes to credential resets.


Leave a Comment