Scattered Spider Hops Nimbly From Cloud to On-Prem in Complex Attack

The group behind the high-profile MGM cyberattack in September has resurfaced in yet another sophisticated ransomware attack, in which the actor pivoted from a third-party service environment to the target organization's on-premise network in only an hour. The attack by Scattered Spider, an ALPHV/Black Cat ransomware affiliate, sealed the group's position as a formidable adversary for large enterprises with a nimble ability to target the enterprise through their cloud service providers, according to a report by ReliaQuest published on Nov. 22. Tactics demonstrated were similar to the ones that took down MGM's network, with the group using credentials to an Okta single-sign-on agent stolen from a help-desk employee to enter a third-party cloud environment and move onto the enterprise network from there, the researchers revealed. "During the investigation, the initial-access vector was unclear, but weeks later, the customer reported that the intrusion was attributed to a social-engineering attack, in which the user's credentials were reset by the attackers," according to the report. "This tactic of social engineering strongly aligns with Scattered Spider's previous tactics, techniques, and procedures, which are used to elicit valid account credentials from a target." Manipulating MFA in Fatigue Attacks Specifically, attackers used a socially-engineered MFA fatigue attack -in which they used the valid account credentials to attempt four MFA challenges within two minutes. The last resulted in successful authentication, with a "New device sign-in" being observed from Florida IP address 99.25.84[.]9 that was used to reset a legitimate Okta user's credentials to access the environment of a cloud service provider. Attackers then quickly transitioned to the on-premise enterprise environment, where they authenticated to Citrix Workspace via the IT administrator's Okta credentials and again were prompted to complete MFA. The prompt was sent to the newly registered device under the group's control, allowing attackers to access the workspace and move on from there to conduct other nefarious activities on various parts of the customer infrastructure. These activities included hijacking of Citrix sessions and privilege elevation, by creating a highly privileged user in the form of a fake security architect user, enabling attackers to move laterally at will across Azure, SharePoint, and other critical assets in the environment, the researchers said. Scattered Spider ultimately used a combination of TTPs - including social engineering of help-desk employees, identity as-a-service cross-tenant impersonation, file enumeration and discovery, abuse of specific enterprise applications, and use of persistence tools - to achieve widespread encryption and exfiltration of data from the targeted network. Scattered Spider Evolves to Be a Formidable Adversary The incident demonstrated the scale and operational capability of Scattered Spider, which in a short time has shown sophistication in its abuse of resources in compromised environments, which span various sectors and regions. The danger is that other threat actors will learn from their tactics and mount copycat attacks, the researchers noted. "Scattered Spider pivots and targets applications with remarkable precision, using access to internal IT documentation for extremely efficient lateral movement," according to the report. "As other threat actors become more sophisticated and learn from successful patterns, they will be able to exploit similar TTPs.". If the MGM attack was any indication, attacks by Scattered Spider can cause catastrophic damage to an enterprise network and should be taken extremely seriously. Systems across the conglomerate's more than 30 hotels and casinos around the globe were offline for more than 10 days, resulting in a loss of tens of millions of dollars in revenue in addition to the $15 million in ransom the company shelled out to unlock systems. While law enforcement authorities like the FBI are well aware of the threat group and have amassed volumes of data on its activities, they so far have been unable to disrupt its activities - which remains a point of contention in the security community. Enterprise Defense Against a Significant Cyber Threat ReliaQuest has offered a number of actions enterprises can take to avoid being compromised by the nimble group as they remain on their own to defend against it. One is to adhere to the "Principle of least privilege," particularly given the misuse of Okta super administrator credentials, the researchers said. Enterprises should restrict the super administrator role, as it grants the potential to alter various settings, such as to register an external identity provider, or deactivate strong authentication requirements. "Users assigned to this role should use a form of MFA that demonstrates substantial resistance to MFA bypass attacks," according to the report. In this case, new signons, or the enrollment of an MFA factor for super administrator accounts, should be accompanied by a notification. This recommendation should also apply to access to internal IT documentation - to which many organizations do not adequately limit access, the researchers said. Given that Scattered Spider often uses social-engineering manipulation of a help-desk employee for initial access to the cloud, the researchers also recommend that help-desk adhere to rigorous policies concerning the verification of end users' identities, particularly for procedures involving the reset of credentials or MFA factors. These include implementing a challenge-response process or mandating user identity confirmation prior to any help-desk action. Overall, groups like Scattered Spider require that enterprise defenders prioritize constant vigilance by strengthening security protocols, conducting regular assessments, and staying informed about emerging threats, the researchers concluded.

This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:02 +0000


Cyber News related to Scattered Spider Hops Nimbly From Cloud to On-Prem in Complex Attack

Scattered Spider Hops Nimbly From Cloud to On-Prem in Complex Attack - The group behind the high-profile MGM cyberattack in September has resurfaced in yet another sophisticated ransomware attack, in which the actor pivoted from a third-party service environment to the target organization's on-premise network in only an ...
11 months ago Darkreading.com
Scattered Spider Hops Nimbly From Cloud to On-Prem in Complex Attack - The group behind the high-profile MGM cyberattack in September has resurfaced in yet another sophisticated ransomware attack, in which the actor pivoted from a third-party service environment to the target organization's on-premise network in only an ...
11 months ago Darkreading.com
Multi-Cloud vs. Hybrid Cloud: The Main Difference - The proliferation of cloud technologies is particularly confusing to businesses new to cloud adoption, and they're sometimes baffled by the distinction between multi-cloud and hybrid cloud. Although the public cloud infrastructure and public cloud ...
11 months ago Techtarget.com
As the FBI Closes In, Scattered Spider Attacks Finance, Insurance Orgs - Scattered Spider hackers have been tearing through the finance and insurance sectors, all while authorities are preparing legal actions to stop them. A game of cops and robbers is playing out between the FBI and Scattered Spider, the cybercrime ...
6 months ago Darkreading.com
What is a Cloud Architect and How Do You Become One? - A cloud architect is an IT professional who is responsible for overseeing a company's cloud computing strategy. This includes cloud adoption plans, cloud application design, and cloud management and monitoring. Cloud architects oversee application ...
8 months ago Techtarget.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
2023 Cloud Security Report - Security concerns remain a critical barrier to cloud adoption, showing little signs of improvement in the perception of cloud security professionals. Cloud adoption is further inhibited by a number of related challenges that prevent the faster and ...
11 months ago Cybersecurity-insiders.com
The 10 Best Cloud Security Certifications for IT Pros in 2024 - Many professionals seeking a career in cloud security turn to certifications to advance their learning and prove.... their knowledge to potential employers. The number of cloud security certifications has increased in recent years making it difficult ...
10 months ago Techtarget.com
Scattered Spider Attacking Finance & Insurance Industries - Hackers very frequently target the finance and insurance sectors due to the large volumes of sensitive data that they own. These areas manage huge quantities of valuable as well as critical financial information, personal identities, and intellectual ...
6 months ago Gbhackers.com
Cloud Security: Stats and Strategies - An interesting aspect in O'Reilly's latest Cloud Adoption report based on a global survey conducted is that 90% of the responders are using the cloud to support their business. One of the key takeaways from the State of the Cloud report from Flexera ...
10 months ago Feeds.dzone.com
Top Cloud Security Issues: Threats, Risks, Challenges & Solutions - Cloud security issues refer to the threats, risks, and challenges in the cloud environment. To combat these cloud security issues, develop a robust cloud security strategy that addresses all three to provide comprehensive protection. Cloud security ...
5 months ago Esecurityplanet.com
What Is Cloud Security Management? Types & Strategies - Cloud security management is the process of safeguarding cloud data and operations from attacks and vulnerabilities through a set of cloud strategies, tools, and practices. The cloud security manager and the IT team are generally responsible for ...
5 months ago Esecurityplanet.com
6 Best Cloud Security Companies & Vendors in 2024 - Cloud security companies specialize in protecting cloud-based assets, data, and applications against cyberattacks. To help you choose, we've analyzed a range of cybersecurity companies offering cloud security products and threat protection services. ...
9 months ago Esecurityplanet.com
Playbooks on-prem - To address this challenge, Sekoia.io has recently released Playbooks on-prem. In this way, Playbooks on-prem may appeal to companies seeking to synchronize cloud actions with those executed on-premises. At its core, Playbooks on-prem revolve around a ...
8 months ago Blog.sekoia.io
CrowdStrike Enhances Cloud Asset Visualization to Accelerate Risk Prioritization - The massive increase in cloud adoption has driven adversaries to focus their efforts on cloud environments - a shift that led to cloud intrusions increasing by 75% in 2023, emphasizing the need for stronger cloud security. As organizations increase ...
6 months ago Crowdstrike.com
What Is Cloud Repatriation and Why Are Businesses Doing It? - At first glance, this may seem to indicate that businesses are seeking out ways to reclaim control of their information and take back data stored on the cloud. Cloud repatriation, also known as reverse cloud migration, is when data is moved from the ...
11 months ago Securityboulevard.com
7 Considerations for Multi-Cluster Kubernetes - A hybrid cloud is a cloud computing environment that combines public and private clouds, allowing organizations to utilize the benefits of both. In a hybrid cloud, an organization can store and process critical data and applications in its private ...
10 months ago Feeds.dzone.com
What Is Cloud Workload Security? Ultimate Guide - Cloud workload security, or cloud workload protection, refers to the tools and policies used to protect apps, services, and resources that run on cloud infrastructure. Your organization can manage cloud workload security through coordination across ...
4 months ago Esecurityplanet.com
Managing the Requirements of a MultiCloud System - The use of digital technology has advanced to include cloud computing in the delivery of services, cost reduction, increased agility, and improved security. The emergence of various cloud solutions has led organizations to move their assets from ...
1 year ago Blog.isc2.org
4 types of cloud security tools organizations need in 2024 - By now, organizations know which on-premises security tools they need, but when it comes to securing the cloud, they don't always understand which cloud security tools to implement. While many traditional on-premises tools and controls work in the ...
7 months ago Techtarget.com
What is cloud load balancing? - Cloud load balancing is the process of distributing workloads across computing resources in a cloud computing environment and carefully balancing the network traffic accessing those resources. Cloud load balancing helps enterprises achieve ...
8 months ago Techtarget.com
Cloud Security: Ensuring Data Protection in the Cloud - Data Encryption: Protecting sensitive data is a top priority in cloud security. Cloud security is of utmost importance when it comes to protecting and ensuring the confidentiality of data stored and transmitted in the cloud. Data protection in the ...
9 months ago Securityzap.com
What is a cloud application? - A cloud application, or cloud app, is a software program where cloud-based and local components work together. Cloud application servers are typically located in a remote data center operated by a third-party cloud services infrastructure provider. ...
8 months ago Techtarget.com
Master Cloud Computing Risks with a Proactive, End-to-End Approach - These guiding principles have provided a foundation for Accenture's public cloud security offerings since they were introduced in 2018. With the release of the Prisma® Cloud Darwin update, Palo Alto Networks dramatically simplifies risk mitigation ...
11 months ago Paloaltonetworks.com
Falcon Cloud Security Supports Google Cloud Run to Strengthen Serverless Application Security - We're thrilled to share that the CrowdStrike Falcon® sensor now fully supports Google Cloud Run, bringing advanced security capabilities to your serverless applications. While we announced this at Google Cloud Next in April 2024, this blog goes ...
4 months ago Crowdstrike.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)