One of the world's most dangerous ransomware groups has applied its signature social engineering to sophisticated, targeted phishing attacks against Financial and insurance companieswith the aim of stealing high-level permissions of cloud-based environments to ultimately deliver ransomware.
Scattered Spider uses SMS and voice phishing attacks—or SMS phishing and voice phishing, respectively—to target high-privileged accounts, such as those of IT service administrators and cybersecurity teams. The attackers use the stolen credentials to compromise cloud-based services and ultimately gain access to victim environments for ransomware attacks, according to researchers at EclecticIQ.
“Scattered Spider frequently uses phone-based social engineering techniques… to deceive and manipulate targets, primarily targeting IT service desks and identity administrators,” wrote EclecticIQ threat intelligence analyst Arda Buyukaya. In a recent analysis“The actor often impersonates employees to gain trust and access information, manipulates two-factor authentication settings, and directs victims to fake login portals.”
The attacks are so well-designed that they often prompt unwary identity administrators responsible for cloud infrastructures to enter credentials into VMware Workspace ONE, an application management and identity access policy platform, so that attackers can gain unauthorized access even to accounts protected by multi-factor authentication (MFA), Buyukaya said.
Cloud and SaaS services in the line of fire
Other methods Scattered Spider uses to gain persistent access to cloud environments include purchasing stolen credentials, performing SIM swaps, and using cloud-native tools. In effect, the threat group is taking advantage of legitimate features of cloud infrastructure to carry out its malicious activities, making its operations increasingly difficult to detect and counter, Buyukaya noted.
“The cybercriminal group exploits legitimate cloud tools like the Azure Management Console and Data Factory to execute remote commands, transfer data, and maintain persistence while avoiding detection,” he wrote.
The attacks observed by EclecticIQ targeted cloud-based services such as Microsoft Entra ID and Amazon Web Services Elastic Computer Cloud, as well as Software as a Service (SaaS) Platforms Like Okta, ServiceNow, Zendesk, and VMware Workspace ONE, “they deploy phishing pages that closely mimic single sign-on (SSO) portals,” Buyukaya wrote. These pages are delivered via socially engineered attacks that look so convincing that they can fool cloud security engineers.
Weaving a complex attack network
The Scattered Spider group, also known as Octo Tempest, has quickly become a household name in the ransomware game. The group arrived on the scene in 2022 armed with sophisticated social engineering techniques, an ability to understand the psychology of Western business minds, and a command of the native English language — all of which it used as part of its heavy artillery. The group quickly became notorious for its massive hacking operations. Ransomware Attacks on Caesars Palace and MGM Entertainment After about a year.
Scattered Spider collaborated with BlackCat/Alphv ransomware early on but has since become a ransomware-as-a-service (RaaS) affiliate. RansomHub and Qilin Earlier this year, after BlackCat/Alphv cancelled the celebrations, It got dark in Marchleaving affiliates in an awkward position.
Recently, the Scattered Spider has had global law enforcement agencies, including the FBI, closely tracking him, Officials in the UK have recently been arrested. A 17-year-old boy from Walsall, UK, was arrested in July for his association with the group.
The attacks identified by EclecticIQ are the result of an analysis conducted between 2023 and Q2 2024, so it’s not yet clear how active Scattered Spider has been since that arrest. However, the researchers noted that the research sheds new light on the complex web of attacks the group is able to execute to successfully exploit identity compromise to target cloud environments.
Defense and mitigation
EclecticIQ has developed a specific framework that outlines the ransomware deployment lifecycle to help defenders thwart attacks by detailing the techniques a threat actor uses to infiltrate and persist cloud computing environments and execute ransomware. According to Büyükkaya, the accessibility of the cloud makes it a prime target for financially motivated criminals and has been the secret to the success of Scattered Spider and other ransomware actors.
The company has provided a comprehensive set of recommendations for organizations regarding prevention, detection, and response to incidents related to, but not limited to, secure authentication; monitoring and alerts; virtual cloud resource security; firewall and network security; and other key and diverse aspects that make up an enterprise cloud environment.
Other recommendations made specifically focused on Scattered Spider's tendency to use phishing as its primary method of initial access, and advised organizations to monitor Areas of writing hackingThis includes legitimate domains for their organizations, especially those targeting their cloud environments.
“Proactively secure these domains to prevent phishing attacks and social engineering tactics,” Buyukaya advised.
Don't miss the latest news. Secret Dark Reading Podcastwhere we talk to two cybersecurity experts who were arrested in Dallas County, Iowa and forced to spend the night in jail — simply for doing pen testing jobs. Listen now!
