he hacking group responsible for the widely publicized MGM cyberattack in September has resurfaced with another sophisticated ransomware assault. In this latest incident, attributed to Scattered Spider, an ALPHV/Black Cat ransomware affiliate, the group showcased its agility by swiftly moving from a third-party service environment to the targeted organization’s on-premise network within just one hour.
According to a report by ReliaQuest released on Nov. 22, this attack solidifies Scattered Spider’s reputation as a formidable adversary, demonstrating their adeptness in targeting enterprises through their cloud service providers.
The tactics employed in this attack mirrored those used in the MGM network breach. The group gained access by utilizing stolen credentials from an Okta single-sign-on agent, originally pilfered from a help-desk employee. This initial access through a third-party cloud environment enabled them to seamlessly progress into the enterprise network.
The researchers noted that the investigation initially had an unclear picture of the initial-access vector. However, weeks later, it was revealed that the intrusion resulted from a social-engineering attack, involving the resetting of user credentials by the attackers. This aligns with Scattered Spider’s consistent use of social engineering in their tactics, techniques, and procedures (TTPs) to extract valid account credentials from their targets.
Manipulating MFA in Fatigue Attacks
In this instance, the attackers employed a socially engineered MFA fatigue attack. They utilized valid account credentials to undertake four MFA challenges within a two-minute window. The final attempt successfully authenticated, marking a “new device sign-in” from the Florida IP address 99.25.84[.]9. This sign-in was instrumental in resetting a legitimate Okta user’s credentials, providing access to the cloud service provider’s environment.
After this initial entry, the attackers swiftly moved to the on-premise enterprise environment. Here, they authenticated to Citrix Workspace using the IT administrator’s Okta credentials, encountering another MFA prompt. This prompt was directed to the newly registered device under the attackers’ control, enabling them to access the workspace. From there, they proceeded to carry out various malicious activities across different parts of the customer infrastructure.
These activities included seizing control of Citrix sessions, elevating privileges by creating a highly privileged fake security architect user, and facilitating lateral movement across Azure, SharePoint, and other critical assets in the environment. The researchers noted that Scattered Spider employed a mix of tactics, including social engineering of help-desk employees, cross-tenant impersonation using identity-as-a-service (IDaaS), file enumeration and discovery, exploitation of specific enterprise applications, and the use of persistence tools. This combination ultimately facilitated extensive encryption and exfiltration of data from the targeted network.
Scattered Spider transforms into a formidable opponent through evolution.
he incident underscored the expansive reach and operational prowess of Scattered Spider. In a brief period, the group showcased sophistication in leveraging resources within compromised environments across various sectors and regions. Researchers emphasize the risk that other threat actors might adopt and replicate their tactics, potentially leading to copycat attacks.
According to the report, Scattered Spider adeptly pivots and targets applications with precision, utilizing access to internal IT documentation for highly efficient lateral movement. As other threat actors enhance their sophistication and learn from successful strategies, they could exploit similar Tactics, Techniques, and Procedures (TTPs).
The MGM attack serves as a stark example of the devastating impact Scattered Spider can inflict on an enterprise network, warranting utmost seriousness. The incident left systems across the conglomerate’s global network of over 30 hotels and casinos offline for over 10 days, resulting in substantial revenue losses, coupled with the company paying a $15 million ransom to regain control.
Despite law enforcement authorities, such as the FBI, being well-informed about the threat group and accumulating extensive data on its activities, disrupting Scattered Spider’s operations has proven challenging, sparking concerns within the security community.
Enterprise Defense Against a Significant Cyber Threat
To protect your business from the agile cyber threat posed by groups like Scattered Spider, ReliaQuest suggests a few practical steps. First, follow the “principle of least privilege,” especially in light of the misuse of Okta super administrator credentials. This means limiting the super administrator role to prevent potential alterations to critical settings.
For users assigned to this role, employ Multi-Factor Authentication (MFA) that provides strong resistance to bypass attacks. Additionally, ensure that new sign-ins or the addition of an MFA factor for super administrator accounts trigger notifications. Extend this precaution to access internal IT documentation, an area often overlooked in terms of access restrictions.
Considering Scattered Spider’s tendency to use social engineering on help-desk employees for initial cloud access, it’s crucial to enforce strict policies for verifying end users’ identities, especially during actions like credential resets or MFA changes. Implement challenge-response processes and require user identity confirmation before any help-desk action.
In essence, defending against groups like Scattered Spider demands ongoing vigilance. Strengthen your security protocols, conduct regular assessments, and stay updated on emerging threats to ensure your enterprise remains secure, as recommended by the researchers.