Ensuing battle over IT resources: Despite the stealth of the attack incident response defenders at the compromised company detected the attack and began to fight back, setting up a tug-of-war to establish control over the organization’s IT resources. In response, Scattered Spider abandoned attempts at covert infiltration and began an aggressive attempt to disrupt business operations and hinder response and recovery.For example, the group began deleting Azure Firewall policy rule collection groups. The attack was ultimately thwarted, at least in its main aims. Although some sensitive data was extracted, the likely plan to deploy ransomware never came to fruition.This battle over privileged roles escalated until Microsoft had to intervene to restore control over the tenant.”Scattered Spider’s latest campaign demonstrates its ability to adapt and evolve, blending human-centric exploitation with technical sophistication to compromise identity systems and virtual environments,” ReliaQuest concludes.
Faster, further, stronger: Christiaan Beek, senior director, threat analytics at Rapid7, told CSO that Scattered Spider’s tradecraft has evolved over recent months as it has developed better knowledge of cloud-based systems and carried out more aggressive, multi-pronged attacks.Beek noted the following additions to Scattered Spider’s arsenal:
Cloud intrusion techniques: “The group has demonstrated a deep understanding of cloud environments using AWS Systems Manager Session Manager, EC2 Serial Console, and IAM [identity and access management] role enumeration to pivot and persist within cloud infrastructure, techniques typically seen in advanced threat actors,” according to Beek.New persistence methods: “They’ve begun abusing legitimate infrastructure tools like Teleport for long-term access, setting up encrypted outbound connections that evade traditional detection mechanisms, a shift from their earlier reliance on commercial RMM [remote monitoring and management] tools alone,” Beek said.Faster, multilayered attacks: Scattered Spider’s operations have become more aggressive and compressed. “Within hours of initial compromise, often via social engineering, they escalate privileges, move laterally, establish persistence, and begin reconnaissance across both cloud and on-prem environments,” Beek explained. “This speed and fluidity represent a significant escalation in operational maturity.”While Scattered Spider has expanded its targets to new industries, first retail and then technology, finance, and now aviation, over recent months, its fundamental modus operandi remain similar, ReliaQuest researchers have found.”This shift shows the group is willing to adapt its targets to maximize financial returns,” a ReliaQuest spokesperson told CSO. “That said, its tactics haven’t really changed, Scattered Spider still leans on sophisticated social engineering to target help-desk employees and gain access to high-value accounts.”
Countermeasures: In a blog post last week, security tools vendor Rapid7 detailed Scattered Spider’s latest tactics, techniques, and procedures (TTPs), alongside recommendations for defensive best practices.”[The] group’s techniques, while sophisticated in execution, often exploit lapses in basic security practices, such as over-reliance on help desk identity proofing, or unmonitored use of admin tools,” Rapid7 researchers wrote. “Strengthening those areas, along with user education and modern authentication controls, provides a strong defence against Scattered Spider’s blend of social engineering and technical prowess.””Phishing-resistant MFA is key to block attacks at the outset, whilst vigilant monitoring in the cloud and on endpoints plays a part in catching unusual behavior before it escalates. Beyond technology, it’s crucial to maintain disciplined identity practices,” Rapid7’s Beek told CSO. “This means limiting standing privileges and enforcing approvals for sensitive actions, alongside regularly reviewing access rights.”Defending effectively against Scattered Spider involves tackling both human and technical vulnerabilities, ReliaQuest researchers noted.”To defend against these attacks, strengthen help-desk verification procedures to prevent unauthorised access, harden virtualised infrastructure to detect suspicious activity, and regularly test and train employees against social engineering tactics,” ReliaQuest advised. “These measures protect identity systems and workflows and disrupt the group’s ability to manipulate trust and evade defences.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4020567/anatomy-of-a-scattered-spider-attack-a-growing-ransomware-threat-evolves.html
