C0027
C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]
Groups
| ID | Name | Description |
|---|---|---|
| G1015 | Scattered Spider |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.[1] |
|
| Enterprise | T1530 | 从云存储获取数据 |
During C0027, Scattered Spider accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[1] |
|
| Enterprise | T1213 | .002 | 从信息存储库获取数据: Sharepoint |
During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[1] |
| Enterprise | T1090 | 代理 |
During C0027, Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.[1] |
|
| Enterprise | T1656 | 伪装 |
During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.[1] |
|
| Enterprise | T1598 | .001 | 信息钓鱼: Spearphishing Service |
During C0027, Scattered Spider sent Telegram messages impersonating IT personnel to harvest credentials.[1] |
| .004 | 信息钓鱼: Spearphishing Voice |
During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.[1] |
||
| Enterprise | T1578 | .002 | 修改云计算基础设施: Create Cloud Instance |
During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.[1] |
| Enterprise | T1190 | 利用公开应用程序漏洞 |
During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.[1] |
|
| Enterprise | T1572 | 协议隧道 |
During C0027, Scattered Spider used SSH tunneling in targeted environments.[1] |
|
| Enterprise | T1133 | 外部远程服务 |
During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments.[1] |
|
| Enterprise | T1621 | 多因素身份验证请求生成 |
During C0027, Scattered Spider attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.[1] |
|
| Enterprise | T1003 | .006 | 操作系统凭证转储: DCSync |
During C0027, Scattered Spider performed domain replication.[1] |
| Enterprise | T1589 | .001 | 收集受害者身份信息: Credentials |
During C0027, Scattered Spider sent phishing messages via SMS to steal credentials.[1] |
| Enterprise | T1078 | .004 | 有效账户: Cloud Accounts |
During C0027, Scattered Spider leveraged compromised credentials from victim users to authenticate to Azure tenants.[1] |
| Enterprise | T1069 | .003 | 权限组发现: Cloud Groups |
During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and their Active Directory attributes.[1] |
| Enterprise | T1102 | 网络服务 |
During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.[1] |
|
| Enterprise | T1046 | 网络服务发现 |
During C0027, used RustScan to scan for open ports on targeted ESXi appliances.[1] |
|
| Enterprise | T1588 | .002 | 获取能力: Tool |
During C0027, Scattered Spider obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner.[1] |
| Enterprise | T1087 | .003 | 账号发现: Email Account |
During C0027, Scattered Spider accessed Azure AD to identify email addresses.[1] |
| .004 | 账号发现: Cloud Account |
During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.[1] |
||
| Enterprise | T1098 | .001 | 账号操控: Additional Cloud Credentials |
During C0027, Scattered Spider used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.[1] |
| .003 | 账号操控: Additional Cloud Roles |
During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.[1] |
||
| .005 | 账号操控: Device Registration |
During C0027, Scattered Spider registered devices for MFA to maintain persistence through victims' VPN.[1] |
||
| Enterprise | T1105 | 输入工具传输 |
During C0027, Scattered Spider downloaded tools using victim organization systems.[1] |
|
| Enterprise | T1021 | .007 | 远程服务: Cloud Services |
During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.[1] |
| Enterprise | T1219 | 远程访问软件 |
During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.[1] |
|
| Enterprise | T1566 | .004 | 钓鱼: Spearphishing Voice |
During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.[1] |
Software
| ID | Name | Description |
|---|---|---|
| S0357 | Impacket |
During C0027, Scattered Spider used Impacket for lateral movement.[1] |