Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group that has been active since at least 2022.[1][2] The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, Scattered Spider expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.[2] During campaigns, Scattered Spider has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.[3][4][1][2][5]
Associated Group Descriptions
Campaigns
| ID | Name | First Seen | Last Seen | References | Techniques |
|---|---|---|---|---|---|
| C0027 | C0027 | June 2022 [5] | December 2022 [5] | Windows管理规范, 从云存储获取数据, 从信息存储库获取数据: Sharepoint, 代理, 伪装, 信息钓鱼: Spearphishing Voice, 信息钓鱼: Spearphishing Service, 修改云计算基础设施: Create Cloud Instance, 利用公开应用程序漏洞, 协议隧道, 外部远程服务, 多因素身份验证请求生成, 操作系统凭证转储: DCSync, 收集受害者身份信息: Credentials, 有效账户: Cloud Accounts, 权限组发现: Cloud Groups, 网络服务, 网络服务发现, 获取能力: Tool, 账号发现: Cloud Account, 账号发现: Email Account, 账号操控: Additional Cloud Roles, 账号操控: Device Registration, 账号操控: Additional Cloud Credentials, 输入工具传输, 远程服务: Cloud Services, 远程访问软件, 钓鱼: Spearphishing Voice |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.[5] |
|
| Enterprise | T1580 | 云基础设施发现 |
Scattered Spider enumerates cloud environments to identify server and backup management infrastructure, resource access, databases and storage containers.[2] |
|
| Enterprise | T1538 | 云服务控制面板 |
Scattered Spider abused AWS Systems Manager Inventory to identify targets on the compromised network prior to lateral movement.[3] |
|
| Enterprise | T1530 | 从云存储获取数据 |
Scattered Spider enumerates data stored in cloud resources for collection and exfiltration purposes.[3] During C0027, Scattered Spider accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[5] |
|
| Enterprise | T1213 | .002 | 从信息存储库获取数据: Sharepoint |
During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[5] |
| .003 | 从信息存储库获取数据: Code Repositories |
Scattered Spider enumerates data stored within victim code repositories, such as internal GitHub repositories.[3][2] |
||
| .005 | 从信息存储库获取数据: Messaging Applications |
Scattered Spider threat actors search the victim’s Slack and Microsoft Teams for conversations about the intrusion and incident response.[3] |
||
| Enterprise | T1090 | 代理 |
During C0027, Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.[5] |
|
| Enterprise | T1656 | 伪装 |
During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.[5] Scattered Spider utilized social engineering to compel IT help desk personnel to reset passwords and MFA tokens.[3][2] During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.[5] |
|
| Enterprise | T1598 | 信息钓鱼 |
Scattered Spider has used a combination of credential phishing and social engineering to capture one-time-password (OTP) codes.[4] |
|
| .001 | Spearphishing Service |
During C0027, Scattered Spider sent Telegram messages impersonating IT personnel to harvest credentials.[5] |
||
| .004 | Spearphishing Voice |
During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.[5] Scattered Spider has also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits.[2] During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.[5] |
||
| Enterprise | T1578 | .002 | 修改云计算基础设施: Create Cloud Instance |
During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.[5] Scattered Spider has also created Amazon EC2 instances within the victim's environment.[3] During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.[5] |
| Enterprise | T1556 | .006 | 修改身份验证过程: Multi-Factor Authentication |
After compromising user accounts, Scattered Spider registers their own MFA tokens.[3] |
| .009 | 修改身份验证过程: Conditional Access Policies |
Scattered Spider has added additional trusted locations to Azure AD conditional access policies. [2] |
||
| Enterprise | T1136 | 创建账户 |
Scattered Spider creates new user identities within the compromised organization.[3] |
|
| Enterprise | T1190 | 利用公开应用程序漏洞 |
During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.[5] |
|
| Enterprise | T1572 | 协议隧道 |
During C0027, Scattered Spider used SSH tunneling in targeted environments.[5] |
|
| Enterprise | T1484 | .002 | 域或租户策略修改: Trust Modification |
Scattered Spider adds a federated identity provider to the victim’s SSO tenant and activates automatic account linking.[3] |
| Enterprise | T1133 | 外部远程服务 |
Scattered Spider has leveraged legitimate remote management tools to maintain persistent access.[4] During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments.[5] |
|
| Enterprise | T1621 | 多因素身份验证请求生成 |
Scattered Spider has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets.[4] During C0027, Scattered Spider attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.[5] |
|
| Enterprise | T1003 | .003 | 操作系统凭证转储: NTDS |
Scattered Spider has extracted the |
| .006 | 操作系统凭证转储: DCSync |
During C0027, Scattered Spider performed domain replication.[5] |
||
| Enterprise | T1589 | .001 | 收集受害者身份信息: Credentials |
During C0027, Scattered Spider sent phishing messages via SMS to steal credentials.[5] |
| Enterprise | T1074 | 数据分段 |
Scattered Spider stages data in a centralized database prior to exfiltration.[3] |
|
| Enterprise | T1486 | 数据加密以实现影响 |
Scattered Spider has used BlackCat ransomware to encrypt files on VMWare ESXi servers.[3][2] |
|
| Enterprise | T1083 | 文件和目录发现 |
Scattered Spider Spider enumerates a target organization for files and directories of interest, including source code.[3][2] |
|
| Enterprise | T1078 | .004 | 有效账户: Cloud Accounts |
During C0027, Scattered Spider leveraged compromised credentials from victim users to authenticate to Azure tenants.[5] |
| Enterprise | T1552 | .001 | 未加密凭证: Credentials In Files |
Scattered Spider Spider searches for credential storage documentation on a compromised host.[3] |
| .004 | 未加密凭证: Private Keys |
Scattered Spider enumerate and exfiltrate code-signing certificates from a compromised host.[3] |
||
| Enterprise | T1068 | 权限提升漏洞利用 |
Scattered Spider has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).[4] |
|
| Enterprise | T1069 | .003 | 权限组发现: Cloud Groups |
During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and their Active Directory attributes.[5] |
| Enterprise | T1217 | 浏览器信息发现 |
Scattered Spider retrieves browser histories via infostealer malware such as Raccoon Stealer.[3] |
|
| Enterprise | T1204 | 用户执行 |
Scattered Spider has impersonated organization IT and helpdesk staff to instruct victims to execute commercial remote access tools to gain initial access.[3] |
|
| Enterprise | T1114 | 电子邮件收集 |
Scattered Spider threat actors search the victim’s Microsoft Exchange for emails about the intrusion and incident response.[3] |
|
| Enterprise | T1006 | 直接卷访问 |
Scattered Spider has created volume shadow copies of virtual domain controller disks to extract the |
|
| Enterprise | T1539 | 窃取Web会话Cookie |
Scattered Spider retrieves browser cookies via Raccoon Stealer.[3] |
|
| Enterprise | T1102 | 网络服务 |
During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.[5] |
|
| Enterprise | T1046 | 网络服务发现 |
During C0027, used RustScan to scan for open ports on targeted ESXi appliances.[5] |
|
| Enterprise | T1588 | .002 | 获取能力: Tool |
During C0027, Scattered Spider obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner.[5] |
| Enterprise | T1657 | 财务窃取 |
Scattered Spider has deployed ransomware on compromised hosts for financial gain.[3][7] |
|
| Enterprise | T1087 | .002 | 账号发现: Domain Account |
Scattered Spider leverages legitimate domain accounts to gain access to the target environment.[3][2] |
| .003 | 账号发现: Email Account |
During C0027, Scattered Spider accessed Azure AD to identify email addresses.[5] |
||
| .004 | 账号发现: Cloud Account |
During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.[5] |
||
| Enterprise | T1098 | .001 | 账号操控: Additional Cloud Credentials |
During C0027, Scattered Spider used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.[5] |
| .003 | 账号操控: Additional Cloud Roles |
During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.[5] Scattered Spider has also assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.[2] During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.[5] |
||
| .005 | 账号操控: Device Registration |
During C0027, Scattered Spider registered devices for MFA to maintain persistence through victims' VPN.[5] |
||
| Enterprise | T1105 | 输入工具传输 |
During C0027, Scattered Spider downloaded tools using victim organization systems.[5] |
|
| Enterprise | T1021 | .007 | 远程服务: Cloud Services |
During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.[5] Scattered Spider has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes.[3] During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.[5] |
| Enterprise | T1018 | 远程系统发现 |
Scattered Spider can enumerate remote systems, such as VMware vCenter infrastructure.[3] |
|
| Enterprise | T1219 | 远程访问软件 |
During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.[5] In addition to directing victims to run remote software, Scattered Spider members themselves also deploy RMM software including AnyDesk, LogMeIn, and ConnectWise Control to establish persistence on the compromised network.[3][7] During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.[5] |
|
| Enterprise | T1567 | .002 | 通过网络服务渗出: Exfiltration to Cloud Storage |
Scattered Spider has exfiltrated victim data to the MEGA file sharing site.[3][2] |
| Enterprise | T1566 | .004 | 钓鱼: Spearphishing Voice |
During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.[5] |
| Enterprise | T1564 | .008 | 隐藏伪装: Email Hiding Rules |
Scattered Spider creates inbound rules on the compromised email accounts of security personnel to automatically delete emails from vendor security products.[2] |
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
Scattered Spider has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.[4] |
| Mobile | T1660 | Phishing |
Scattered Spider has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.[2] |
|
| Mobile | T1451 | SIM Card Swap |
Scattered Spider has used SIM swapping to maintain persistence on mobile carrier networks and SIM cards.[8] |
|
Software
References
- CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.
- Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
- CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
- CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.
- Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Trellix et. al.. (2023, August 17). Scattered Spider: The Modus Operandi. Retrieved March 18, 2024.
- Mphasis. (2024, April 17). Scattered Spider conducts SIM swapping attacks. Retrieved February 3, 2025.