New Developer-as-a-Service on Hacking Forums Fuels Phishing and Cyberattacks

SCATTERED SPIDER, a ransomware group, is leveraging cloud infrastructure to target insurance and financial sectors by employing social engineering tactics like vishing and smishing to deceive targets and gain access to their systems. 

The group uses stolen credentials, SIM swaps, and cloud-native tools to maintain persistence as their deep understanding of Western business practices has facilitated their partnership with BlackCat, enhancing their ability to target Western organizations. 

An analysis has identified the techniques used by SCATTERED SPIDER to infiltrate, persist, and execute ransomware in cloud environments, highlighting the risks associated with cloud infrastructure.

Ransomware deployment life cycle in cloud environments

It is compromising cloud infrastructure by exploiting leaked authentication tokens and launching phishing and smishing campaigns by targeting high-privileged accounts, particularly those of identity administrators, using social engineering tactics and typosquatting domains. 

The group leverages phishing pages that mimic legitimate cloud platforms and employs SMS messages to trick victims into revealing their credentials, which allows them to gain unauthorized access to cloud systems and potentially execute further attacks.

Example of AWS token leak in GitHub 

A cybercrime group leverages credential stealers like Stealc to harvest cloud service authentication tokens and bypass MFA protections through SIM swapping techniques, which are sold on underground forums, granting attackers access to cloud resources and SaaS applications. 

The group abuses legitimate cloud tools to create unauthorized VMs, steal data, and move laterally undetected. EclecticIQ analysts identified Telecom Enemies, a DaaS group, as a supplier of tools and services used by SCATTERED SPIDER, including phishing kits and malware.

Admin panel of the All-in-One Phishing Kit.

SCATTERED SPIDER employs open-source tools like AzureAD, ADExplorer, ADRecon, and PingCastle to gather information from corporate Active Directory. by targeting password management tools, network architecture, VDI/VPN configurations, PAM solutions, and personnel information within M365. 

They also seek third-party data and extortion-related information. By leveraging Cross-Tenant Synchronization (CTS) in Microsoft Entra ID, it establishes persistence and undetected access within compromised cloud environments.

Cross-Tenant Synchronization attack in Azure.

Attackers can exploit cross-tenant settings and federated identity providers to gain persistent access to cloud environments. By compromising privileged accounts, establishing synchronization between tenants, and provisioning malicious accounts, attackers can move laterally across multiple tenants and execute various malicious activities. 

Federated identity providers are also vulnerable to abuse, allowing attackers to create malicious federated domains, generate forged authentication tokens, and maintain persistent access even after initial compromised accounts are disabled.

It leverages remote access tools like RMM and protocol tunneling to maintain control over compromised environments by using techniques like residential proxies and disable security tools to evade detection. 

Linux version of the BlackCat Ransomware downloading itself from BlackBaze.

By exploiting victim security tools and creating virtual machines, they establish a persistent foothold and execute malicious activities, and they also manipulate mail transport rules and reboot systems into safe mode to further hinder security measures.

SCATTERED SPIDER employs various tactics to gain unauthorized access to Active Directory and cloud identity systems as they extract credentials using tools like GoSecretsDump, exploit MFA methods, and steal session cookies to maintain access. 

To prevent these attacks, organizations should implement secure authentication, monitor for suspicious activity, and enforce cloud environment security measures.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here