Scattered Spider Report

Q3-Q4 2022

Silent SIM Swaps

Series of attacks targeting the Telecommunications sector, attempting to gain access to mobile carrier networks and occasionally performing SIM Swapping attacks.

In each incident, initial access is achieved through targeted social engineering, involving phone calls and text messages that impersonate IT staff. Deep & Dark Web monitoring has indicated that Scattered Spider profited from these operations by performing SIM Swapping operations as a service.

Q4 2022 – Q2 2023

Azure Strikes

Suspected Scattered Spider attacks on Azure native organisations, characterized by SIM swaps for initial access and resulting in manipulated and exfiltrated data.

Q3 – Q4 2023

Expanding & Extorting

Scattered Spider starts monetizing their operations through ransomware as a service operators (ALPHV) and diversifies their victim base.

Cloud-Confident

Scattered Spider are highly competent at crawling and exploiting cloud-based infrastructure, particularly Microsoft Azure.

Coercive & Manipulative

Scattered Spider gains access to credentials and secrets through targeted social engineering attempts and through impersonation of employees.

Mobile Infiltration

Scattered Spider exploits mobile devices, leveraging them either as conduits for coercing targets or as critical instruments for circumventing multi-factor authentication systems.

Scattered Spider’s Behaviour & Characteristics

Threat Landscape Trends

What Should We Expect Going Forward?

Cloud Attacks

Scattered Spider is highly proficient in Microsoft Azure, and is known to:

• Use open source attack tooling to gather Azure secrets and other sensitive information.
• Execute “golden SAML” attacks by adding rogue federated identity providers to victim’s Azure AD.
• Create Azure virtual machines and modify Azure’s firewalls to maintain persistence.
• Use Azure Data Factory to modify pipelines and exfiltrate data to attacker controlled servers.

Attack techniques targeting Infrastructure as a Service (IaaS) operations have increased by 60% between 2022 and 2023.

The number of large organizations with a multi-cloud strategy is predicted to rise from 76% to 85% during 2024¹. And the cybersecurity skills gap is widening, especially with respect to cloud security.

The number of attacks targeting virtualized infrastructure will likely grow as the cloud adoption increases and the knowledge gap widens.

Social Engineering

Scattered Spider relies heavily on social engineering and impersonation throughout the attack kill-chain. They conduct SMS phishing campaigns to gain initial access, and once inside will impersonate employees in an attempt to maintain or extend their access.

Employees remain an organisations’ weakest link. 33.2% of poorly trained users will fail a phishing test.²

Deep-fake and generative AI technologies play into the hands of the threat actors and with these technologies we should expect to see increasingly convincing and coercive social engineering attempts.

Mobile Devices

Scattered Spider conducts credential theft through SMS phishing campaigns. And occasionally, they will conduct SIM swapping attacks to further embellish and improve their impersonation attempts during calls to service desks, or to receive MFA codes.

17% of enterprise users encountered phishing links on their mobile devices.³

As baseline security levels improve amongst organisations, threat actors will look to find gaps in control coverage by targeting difficult-to-manage and sometimes forgotten assets, such as mobile devices.

1. PAM & IAM Tooling

Throughout the attack lifecycle, Scattered Spider relies on the exploitation of valid credentials coercing them from employees, and discovering them from dumps in systems until they obtain sufficient privileged access. There are a number of arduous steps an organization must take to secure manage these credentials against each technique, but these tasks
are greatly simplified by both Privileged Access Management (PAM) and Identity and Access Management (IAM) tooling. A tool that integrates the two capabilities further closes the gaps of each system.

2. User Training

The workforce are an organisation’s weakest link in attacks such as those from Scattered Spider. The workforce needs to be continually trained, and training needs to be updated and informed by threat intelligence to increase awareness of the latest social engineering techniques.

3. Configuration Management & Audit of Azure

Organisations should leverage tools like Azure Policy for enforcing and auditing resource configurations, Azure Monitor for tracking performance and health, and Azure Security Center for continuous assessment and recommendations. These tools help identify misconfigurations, enforce policies, and provide visibility into the security posture of Azure environments, mitigating risks associated with unauthorized access or data breaches.

4. Multi-Factor Authentication (MFA)

Whilst MFA is widely recognised as a critical security control in mitigating against a range of attacks, Scattered Spider has demonstrated a portfolio of techniques that can be used to bypass multi-factor authentication, including SIM Swapping and SMS phishing. It is important for organisations to assess and validate the scope of MFA implementation and the security of the method: hardware-based tokens and software token apps (avoiding use of push notifications) are less susceptible to social engineering.

5. Mobile Device Management (MDM)

Scattered Spider delivers social engineering attacks through mobiles because they have weaker baseline security controls and because mobiles often operate as an authentication key to the network. For organisations that rely on mobile devices for authentication and critical communications, it is important to monitor and manage the security settings and configurations on mobile devices. A mobile device management (MDM) solution can mitigate against Scattered Spider and similar mobile-based attacks by enforcing strong security policies on mobile devices used for accessing corporate resources.