Scattered Spider: A sophisticated threat actor that can reverse defense mitigation

Scattered Spider, a financially motivated threat actor, is infamous for gaining initial access using a variety of social engineering tactics, which include calling employees and impersonating IT staff, using Telegram and SMS messages that redirect to phishing sites, and employing MFA fatigue. The threat actor can also engage with the victims directly to obtain their one-time passwords (OTPs). After gaining access, the adversary stays away from using specialized malware and favors a variety of reliable remote management tools to maintain persistent access.

Over time, Scattered Spider has demonstrated persistence in maintaining access, reversing mitigations, evading detection, and pivoting to other valid targets when thwarted. In December 2022, Scattered Spider was linked to a malicious campaign targeting telecommunication service providers and business process outsourcing (BPO) firms. The threat actors managed to exploit CVE-2021-35464, a flaw in the ForgeRock AM server, to run code and elevate their privileges over the Apache Tomcat user on an AWS instance. This was achieved by requesting and assuming the permissions of an instance role using a compromised AWS token.

Scattered Spider was also observed attempting a Bring Your Own Vulnerable Driver (BYOVD) attack to exploit a high-severity vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver in January 2023. The installed unpatched drivers were used by threat actors to deactivate EDR (endpoint detection and response), which reduced the visibility and attack-prevention capacities of the defenders and positioned the targeted networks for further attacks. The security software drivers were made to appear to be operating properly by the malware injection method, but in reality, they were no longer protecting the computer.

Since June 2022, there has been an increase in Scattered Spider attacks. In nations like the United States, the United Kingdom, Germany, France, Italy, Canada, Australia, and Japan, Scattered Spider has targeted industries such as telecom and BPO businesses.

References:

  1. https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-use-old-intel-driver-to-bypass-security/
SISA’s Latest
close slider