Scattered Spider
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| Octo Tempest | (Citation: Microsoft Threat Actor Naming July 2023) |
| Roasted 0ktapus | (Citation: CrowdStrike Scattered Spider BYOVD January 2023) |
| Storm-0875 | (Citation: Microsoft Threat Actor Naming July 2023) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
Scattered Spider leverages legitimate domain accounts to gain access to the target environment.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023) |
| Enterprise | T1098 | .003 | Account Manipulation: Additional Cloud Roles |
During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.(Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider has also assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.(Citation: MSTIC Octo Tempest Operations October 2023) |
| Enterprise | T1213 | .003 | Data from Information Repositories: Code Repositories |
Scattered Spider enumerates data stored within victim code repositories, such as internal GitHub repositories.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023) |
| .005 | Data from Information Repositories: Messaging Applications |
Scattered Spider threat actors search the victim’s Slack and Microsoft Teams for conversations about the intrusion and incident response.(Citation: CISA Scattered Spider Advisory November 2023) |
||
| Enterprise | T1484 | .002 | Domain or Tenant Policy Modification: Trust Modification |
Scattered Spider adds a federated identity provider to the victim’s SSO tenant and activates automatic account linking.(Citation: CISA Scattered Spider Advisory November 2023) |
| Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Scattered Spider has exfiltrated victim data to the MEGA file sharing site.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023) |
| Enterprise | T1564 | .008 | Hide Artifacts: Email Hiding Rules |
Scattered Spider creates inbound rules on the compromised email accounts of security personnel to automatically delete emails from vendor security products.(Citation: MSTIC Octo Tempest Operations October 2023) |
| Enterprise | T1556 | .006 | Modify Authentication Process: Multi-Factor Authentication |
After compromising user accounts, Scattered Spider registers their own MFA tokens.(Citation: CISA Scattered Spider Advisory November 2023) |
| .009 | Modify Authentication Process: Conditional Access Policies |
Scattered Spider has added additional trusted locations to Azure AD conditional access policies. (Citation: MSTIC Octo Tempest Operations October 2023) |
||
| Enterprise | T1578 | .002 | Modify Cloud Compute Infrastructure: Create Cloud Instance |
During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.(Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider has also created Amazon EC2 instances within the victim's environment.(Citation: CISA Scattered Spider Advisory November 2023) |
| Enterprise | T1003 | .003 | OS Credential Dumping: NTDS |
Scattered Spider has extracted the `NTDS.dit` file by creating volume shadow copies of virtual domain controller disks.(Citation: MSTIC Octo Tempest Operations October 2023) |
| Enterprise | T1598 | .004 | Phishing for Information: Spearphishing Voice |
During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.(Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider has also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits.(Citation: MSTIC Octo Tempest Operations October 2023) |
| Enterprise | T1021 | .007 | Remote Services: Cloud Services |
During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.(Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes.(Citation: CISA Scattered Spider Advisory November 2023) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Scattered Spider has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.(Citation: CrowdStrike Scattered Spider BYOVD January 2023) |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
Scattered Spider Spider searches for credential storage documentation on a compromised host.(Citation: CISA Scattered Spider Advisory November 2023) |
| .004 | Unsecured Credentials: Private Keys |
Scattered Spider enumerate and exfiltrate code-signing certificates from a compromised host.(Citation: CISA Scattered Spider Advisory November 2023) |
||
References
- Trellix et. al.. (2023, August 17). Scattered Spider: The Modus Operandi. Retrieved March 18, 2024.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.
- CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.
- CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
- Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
- Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.