Summary:
In October 2024, a significant cybersecurity event involving a manufacturing firm was analyzed by ReliaQuest. The investigation attributed the breach to a group called "Scattered Spider," a collective of English-speaking cybercriminals connected to the ransomware organization "RansomHub." Initially focused on telecom companies for SIM-swapping schemes, Scattered Spider has recently broadened its targets to larger enterprises, aiming for higher financial gains through partnerships with ransomware affiliates.

The inquiry revealed that Scattered Spider utilizes advanced tactics, techniques, and procedures (TTPs) to secure initial access to organizations. A notable strategy identified was their reliance on social engineering, exploiting their proficiency in English to manipulate personnel. In this incident, the attacker successfully persuaded the company's help desk to reset the Chief Financial Officer's (CFO) account credentials. However, after realizing that this account lacked sufficient permissions for further lateral movement, the attacker repeated their social engineering tactics, this time targeting a domain administrator's account.

Upon gaining access to the domain administrator account, the attacker established a virtual machine (VM) within the organization's VMware ESXi environment. This allowed them to bypass security measures, such as endpoint detection and response (EDR) systems, which typically monitor and log operating system activities. Remarkably, within a span of just six hours, the attacker deployed the RansomHub encryptor, causing significant disruption to critical systems.

The investigation highlighted several key behaviors and tactics exhibited by Scattered Spider during the breach:

1. Continual Social Engineering: Social engineering remained the primary method for initial access, with the attackers successfully manipulating help desk staff to compromise both the CFO's and the domain administrator's accounts.
2. Exploitation of Telecommunications Infrastructure: The attackers utilized Verizon IPv6 addresses to gain access to the network, taking advantage of telecom infrastructure that maintained a positive reputation to circumvent security controls.
3. Evasion in the ESXi Environment: By creating their own VM within the victim's ESXi environment, the attackers carried out a variety of malicious actions, including lateral movement, credential harvesting, and data exfiltration, while avoiding detection by traditional security systems.
4. Quick Time to Impact: The attackers demonstrated remarkable efficiency, managing to compromise two accounts within an hour of their initial call to the help desk, gain access to the virtual environment in two hours, and encrypt critical systems in just over six hours.

The investigation concluded with high confidence that multiple individuals were involved in facilitating the attack. A detailed timeline of events illustrated the systematic nature of the intrusion, underscoring the effectiveness of Scattered Spider's tactics.

Analyst Comments:
The attackers gained initial access through a well-planned series of social engineering efforts. The first move involved contacting the IT help desk and convincing staff to reset the CFO's password. When this account proved inadequate for further exploitation, the attacker made another call, successfully persuading a help desk employee to reset the multifactor authentication (MFA) settings for the CFO's account. This enabled the attacker to enroll their own SMS device, later identified as a Google Voice number. With access to the user's Okta account, they could access all Okta applications assigned to the CFO.

To expand their reach, the attacker targeted Thycotic, a password management system containing sensitive organizational data. However, due to the limitations of the CFO's account, they were unable to progress. Not deterred, the attacker scoured the organization's SharePoint for additional information, eventually identifying a domain administrator account to target next.

The attacker made a subsequent call to the help desk, successfully resetting the password for the domain administrator account, which had Okta Super Administrator privileges. This crucial access allowed the attacker to reach Thycotic and self-assign any Okta applications due to the privileges they obtained. Importantly, the investigation found that the help desk did not adhere to established standard operating procedures (SOPs), ultimately allowing the attacker to control both the CFO's and domain administrator's accounts.

The investigation provided critical insights into the infrastructure used by the attackers, revealing valuable information about their operations:

• Use of Verizon IP Addresses: Initial access was recorded using Verizon IPv4 addresses known for their positive reputation, which helped the attackers avoid detection. Subsequent activities were traced to Verizon IPv6 addresses, showcasing a clever strategy to evade traditional security measures, especially since many threat intelligence resources do not support IPv6.
• Simultaneous Access by Multiple Individuals: The investigation noted authentications from two different Verizon IP addresses shortly after the initial account compromise. Each attacker requested MFA separately and used distinct user agents, indicating that at least two individuals were involved in the attack.
• Reliance on Mobile Provider Infrastructure: The use of mobile providers for infrastructure aligned with previous intrusions attributed to Scattered Spider. The attackers likely utilized cellular hotspots, which often enable fallback capabilities between IPv4 and IPv6, complicating detection efforts.

Once the attackers gained access to the domain administrator account, they extracted sensitive files related to backups and key network infrastructure, facilitating further lateral movement. Their access to Okta Super Admin privileges also allowed them to manipulate authentication processes across critical applications.

Executing a double extortion strategy, the attackers encrypted the ESXi environment while also exfiltrating data. They compromised the organization's backup systems by encrypting local backups and deleting cloud backups. During the attack, they employed the open-source disk encryption tool VeraCrypt for local backups and utilized Okta to access Cohesity for cloud backups.

In a novel approach to traditional ransom tactics, the attackers sent a Microsoft Teams message from the compromised domain admin account, containing an Onion link for the ransom demand, rather than leaving a typical README file on the encrypted hosts. They also sent an email titled "Urgent Update on Cyber Attack" from the same compromised account.

Suggested Corrections:
The report underscores the pressing need for organizations to assess and enhance their security protocols in light of the evolving tactics employed by Scattered Spider. As cybercriminals increasingly adopt sophisticated methods for social engineering and exploitation, businesses across various sectors must implement robust technical safeguards, enforce strict help desk protocols, and foster a culture of security awareness to mitigate the risk of similar attacks. The growing collaboration between groups like Scattered Spider and ransomware affiliates such as RansomHub reflects a shifting landscape in cybercrime, highlighting the necessity for vigilance and proactive defense against emerging threats.

Link(s):
https://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/