Ransomware in the Cloud: Scattered Spider Targets Financial and Insurance Sectors
The report identifies SCATTERED SPIDER, a cybercriminal group known for using voice and SMS phishing to infiltrate cloud-based environments, as a significant threat actor.
Introduction
On September 10, 2024, EclecticIQ released a detailed report analyzing ransomware operations affecting cloud infrastructures within the financial and insurance sectors. The report identifies SCATTERED SPIDER, a cybercriminal group known for using voice and SMS phishing to infiltrate cloud-based environments, as a significant threat actor. Their attacks exploit cloud-native tools and vulnerabilities, making detection and mitigation challenging.
Report Overview
SCATTERED SPIDER is a cybercrime group that employs advanced social engineering tactics, such as voice phishing (vishing) and SMS phishing (smishing), to gain unauthorized access to corporate cloud environments. The group typically impersonates employees and IT personnel to manipulate multi-factor authentication (MFA) settings, tricking victims into handing over login credentials. Their primary targets are cloud services, and high-privileged user accounts within organizations, especially IT service desks and cybersecurity teams.
SCATTERED SPIDER's attacks begin by acquiring stolen credentials, often through phishing campaigns or publicly exposed code repositories like GitHub, where hardcoded credentials are accidentally leaked. They use tools to scan for cloud authentication tokens, allowing access to cloud resources such as Microsoft Entra ID, AWS EC2, and VMware Workspace ONE.
Once access is gained, the group maintains persistence by utilizing legitimate cloud features, such as creating unauthorized virtual machines or manipulating MFA configurations. SCATTERED SPIDER also leverages SIM swapping to intercept MFA codes sent via SMS, bypassing security measures on sensitive accounts. Their operations are aided by a deep understanding of Western business practices and partnerships with groups like BlackCat/ALPHV, enhancing their effectiveness in targeting organizations.
The financial and insurance sectors are particularly vulnerable to SCATTERED SPIDER's attacks. The consequences include:
- Data breaches.
- Unauthorized access to critical cloud systems.
- Ransomware deployments that can severely disrupt business operations.
The group's cloud-native tools enable them to evade traditional detection methods, prolonging their access to compromised environments. Organizations using cloud-based services like Okta, AWS, and Microsoft Azure are at heightened risk, as these platforms are frequent targets.
Insights and Analysis
EclecticIQ analysts confidently assess that SCATTERED SPIDER's methods are becoming more sophisticated. Using smishing and vishing, combined with cloud-native tools, presents significant challenges for cybersecurity teams. The group's ability to manipulate MFA settings and deploy ransomware in cloud environments underlines the need for enhanced monitoring and security protocols.
To mitigate the risks posed by SCATTERED SPIDER, organizations should:
- Implement phishing-resistant MFA methods, such as app-based authentication instead of SMS.
- Regularly audit cloud access and usage to detect unauthorized virtual machine creation.
- Use conditional access policies to limit administrative privileges based on device compliance and geolocation.
- Monitor cloud environments for abnormal activities, such as excessive egress traffic or the creation of new VMs.
In summary, SCATTERED SPIDER's evolving tactics emphasize the importance of robust cloud security practices, especially for high-value industries like finance and insurance. As these threats grow more sophisticated, proactive defences and awareness are crucial to maintaining the security of cloud infrastructures.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| c7497366fd0d8c9d72f96e7190632a51 | MD5 | Gosecretsdump used for credential extraction |
| b233ff9dcf5520d69f9b75e1424f3271 | MD5 | Sliver C2 framework observed in SCATTERED SPIDER |
| cc230dcea35be180e3487b53e4b2cfba | MD5 | BlackCat Ransomware binary |
| 8445274c237eb83d56070e499f43641f | MD5 | Phishing HTML template used in attacks |
| 1d05a83a639031913574c0bbb06026a4 | MD5 | Another phishing HTML template |
| revolut-ticket[.]com | Domain | Typosquatted domain registered via registrar.eu |
| servicenow-help[.]com | Domain | Typosquatted domain registered via registrar.eu |
| ibexglobai[.]com | Domain | Typosquatted domain registered via registrar.eu |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing | T1566 | SCATTERED SPIDER used phishing and smishing to gain initial access to accounts. |
| Credential Access | Credential Dumping | T1003 | Use of Gosecretsdump for extracting credentials. |
| Persistence | Create or Modify System Process | T1543 | SCATTERED SPIDER creates unauthorized virtual machines to maintain persistence. |
| Defense Evasion | Disable or Modify Tools | T1562 | Threat actors disable MFA or cloud security tools to evade detection. |
| Impact | Data Encrypted for Impact | T1486 | Deployment of ransomware targeting cloud infrastructure. |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Use of tools to manipulate MFA settings and escalate privileges. |
References
Comments ()