In this article, you'll find detailed information about the nature of a sinkhole attack, how it's executed, and practical security tips to help you protect your computer and data from potential threats.
1171 
How does Scattered Spider carry out cloud-based attacks on financial and insurance companies? An overview of cyber threats and ways to protect against ransomware.
EclecticIQ analysts investigated ransomware attacks targeting cloud infrastructures in the financial and insurance sectors. They found that methods such as automated creation of phishing pages were consistent with SCATTERED SPIDER activity.
The SCATTERED SPIDER group uses telephone social engineering, including phishing and smishing, to gain access to IT services and administrators. Attackers often impersonate employees to bypass security systems, manipulate MFA, and direct victims to fake login pages.
This group also buys stolen data, uses SIM swaps and cloud-based tools to maintain access. Their attacks are difficult to detect because attackers use legal features of cloud platforms. With a deep understanding of Western business and English-speaking members, SCATTERED SPIDER works with BlackCat, increasing the effectiveness of their attacks on Western companies.
EclecticIQ developed an attack cycle for defenders to explain the processes involved in infiltrating and launching ransomware in the cloud, which is an increasingly attractive target for cybercriminals.
From 2023 to Q2 2024, EclecticIQ analysts tracked attacks against identity administrators in cloud environments. They discovered that SCATTERED SPIDER actively uses social engineering to compromise user accounts in cloud systems. The following are the various tactics and tools used in these attacks.
Credential leaks are a common route of unauthorized access to cloud infrastructures. SCATTERED SPIDER takes advantage of random leaks of authentication tokens from public repositories such as GitHub, where data is often stored in code. This allows attackers to automatically scan and gain access to cloud systems.
SCATTERED SPIDER has been found to use phishing to compromise high-privilege accounts such as IT service administrators and cybersecurity professionals. These attacks target cloud platforms, including Microsoft Entra ID and AWS EC2, as well as SaaS platforms such as Okta and VMware Workspace ONE, using phishing pages that mimic SSO portals.
The group also actively uses smashing, sending malicious links via SMS to bypass traditional email filters and attack users on mobile devices. The main targets are financial and insurance companies.
Smishing attacks target identity administrators by forcing them to enter credentials for VMware Workspace ONE, a mission-critical access management platform. Victims receive SMS with fake links that lead to phishing sites designed to steal login credentials and intercept one-time passwords (OTPs). This allows attackers to bypass multi-factor authentication (MFA) and gain unauthorized access.
Phishing pages have also been observed using clues such as asking for an employee ID number and manager’s name to enhance social engineering in the phishing call process.
SCATTERED SPIDER uses .com and .net top-level domains, overlapping the legitimate domains of organizations. Strings like “ServiceNow,” “hr,” “corp,” “dev,” “okta,” “sso,” and “workspace” are common. According to analysts, SCATTERED SPIDER changed its tactics by switching to registrar[.]eu to avoid detection, instead of using the usual ASNs like Porkbun and NAMECHEAP.
There is also the sale of authentication tokens and credentials for cloud platforms (AWS, Azure, GCP) on underground forums aimed at Russian- and English-speaking audiences.
SCATTERED SPIDER operations use credential stealers such as Stealc, Raccoon Stealer, Vidar Stealer, and RedLine Stealer. These malware variants collect authentication tokens of cloud services, which are then sold on underground forums, including but not limited to RussianMarket and XSS. The received tokens provide attackers with uninterrupted access to cloud resources, bypassing traditional authentication.
Stealc infostealer preys on AWS and Azure configuration files and credentials on Windows systems to gain access to cloud resources. It also looks for cached Azure Active Directory tokens in the %LOCALAPPDATA%.IdentityService\msal.cache file, allowing attackers to bypass authentication processes.
SIM swapping allows cybercriminals to intercept SMS with MFA codes, gaining access to SaaS platforms such as Okta and ServiceNow. After compromising accounts, SCATTERED SPIDER targets cloud infrastructures such as Microsoft Azure or AWS, creating virtual machines that remain undetected due to lack of monitoring and EDR. This allows attackers to freely navigate networks and steal data.
SCATTERED SPIDER uses cloud-based tools such as the Azure Administration Console and Data Factory to remotely manage and maintain access to systems while avoiding detection.
Analysts have discovered an underground market on Telegram, an HSBC Network channel, where young UK-based hackers offer SIM-swapping services that allow attacks on high-privilege accounts.
Some members of the HSBC network are believed to be associated with SCATTERED SPIDER, based on the identification of individuals previously associated with the group in SIM-swapping communities on Telegram. Cybercriminals actively use Telegram and Discord chats to share tools and techniques, which improves their skills and capabilities.
EclecticIQ also discovered a Developer-as-a-Service (DaaS) group called Telecom Enemies that SCATTERED SPIDER allegedly used to create tools such as the Gorilla Call Bot used for phishing campaigns via Google Voice.
Telecom Enemies sell phishing kit services called Suite’s (All in one) AIO. Analysts identified the tool’s admin panel URL forward-icloud[.]com/admin/dashboard/login, which is used as a shared platform between threat actors who have purchased their services. It is designed to deliver phishing templates to various services such as Coinbase, Gemini, Kraken, Binance, Robinhood, OKX, Trezor, Ledger, Exodus, MetaMask, Trust Wallet, Bitwarden, LastPass, Yahoo!, AOL, Microsoft/MSN, Gmail, and iCloud. Attackers use the AIO Suite dashboard to manage these phishing campaigns and collect 2FA tokens.
The tools and services offered by Telecom Enemies have been widely advertised on Telegram channels, including HSBC Network and Star Chat. These channels are heavily used by members of SCATTERED SPIDER, further expanding the reach and availability of Telecom Enemies’ offerings in the underground community.
The group is well integrated into underground forums, offering collaboration and development services for hire. Escrow and intermediary services are accepted to facilitate secure transactions for threat actors.
@tempt Aliases: “tempt”, “t0,” “bAS1C” Specializations: Web Application and API Exploitation, Reverse Engineering, and Network Penetration. AT&T, T-Mobile and Verizon are particularly active in focusing on carriers and mobile applications.
@swordartonline Nickname : “Knowledge” Specializations : Using web applications and APIs, web crawling, and IoT penetration testing.
@someonesomewheresomething Aliases : “PIN,” “u0” Specialties: UEFI/Software Programming, Linux/NT Driver Development, and Malware Development.
@byte_array Nickname : “sp0m” Specializations: Penetration Testing, Web Application Usage, and APIs.
Once SCATTERED SPIDER gains access to a victim’s cloud infrastructure via SSO-enabled dashboards or Microsoft 365 (M365), they perform reconnaissance to uncover valuable data and resources.
SCATTERED SPIDER looks into integrated applications in the cloud environment, focusing on a variety of applications including customer relationship management (CRM) systems, document management platforms, password storage solutions, project management tools and code repositories. The goal is to identify information that can help them compromise additional accounts, elevate privileges, or move sideways across the network, thus increasing their control over the victim’s systems.
SCATTERED SPIDER actively uses open source tools such as AzureAD, ADExplorer, ADRecon, and PingCastle to gather information from enterprise Active Directory (AD). These tools help attackers create snapshots of AD databases that are then extracted for analysis. This allows obtaining important data about the corporate infrastructure and facilitates further attacks.
Password management tools: These tools can provide access to stored credentials, enabling further compromise of systems and accounts.
Network architecture information: Understanding the network layout and virtual infrastructure helps attackers target critical systems and potentially avoid detection.
Virtual Desktop Infrastructure (VDI) and VPN configurations: Gaining access to these configurations allows attackers to establish remote access and maintain network persistence.
Privileged Access Management (PAM) solutions: Access to these tools is critical for attackers to elevate their privileges within an organization, allowing them to gain higher-level access to sensitive systems.
Personnel Information: Identifying key internal contacts can be useful for social engineering attacks or for gathering additional information that supports further compromise.
In addition, SCATTERED SPIDER looks for information that can be used for extortion or to target third-party organizations associated with the victim. This includes:
Third-Party Data: Access to data related to third-party customers or services allows attackers to extend their influence beyond the initial victim, potentially compromising additional organizations.
Proof of Extortion Data: Information such as cybersecurity insurance policies, personally identifiable information (PII), and financial records are valuable for identifying ransom demands or financially motivated attacks.
Through this comprehensive intelligence process, SCATTERED SPIDER positions itself to maximize the impact of its attacks both within the victim organization and within any connected third-party organizations.
As of early 2024, SCATTERED SPIDER was discovered to be using the Client-to-Client Synchronization (CTS) feature in Microsoft Entra ID (formerly Azure AD). This feature, which synchronizes users and groups for convenient multi-tenant management, is used to access cloud systems.
CTS exploits typically take a systematic approach, allowing attackers to maintain permanent access to the victim’s environment. The process usually includes:
Privileged Account Compromise: Attackers first gain access to a victim client account with sufficient privileges to change cross-client settings. This is often a Global Administrator or Security Administrator role.
Setting up inbound sync: A compromised account configures a victim client to allow inbound sync from a client controlled by the attacker. This effectively opens the way for user accounts to be passed from the attacker’s client to the victim’s client.
Provisioning malicious accounts: With synchronization in place, an attacker can provision new malicious accounts in the victim as needed. This ensures continued access even if the original accounts are discovered and disabled.
Lateral migration between tenants: If the victim tenant has installed CTS with other tenants, an attacker can use this installation to migrate laterally, potentially compromising additional environments.
Abusing CTS allows attackers to combine malicious activities with legitimate operations, reducing the likelihood of detection. Synchronized accounts can be used to perform a number of malicious activities, including data theft and privilege escalation.
Unified identity providers in Microsoft’s Entra ID and Okta clients allow organizations to delegate authentication to external identity providers (IdPs), simplifying system access management. However, SCATTERED SPIDER abuses this feature to maintain persistence and privilege escalation in compromised environments.
Attack methodology:
Misuse of federated identity providers typically involves the following actions:
Elevated account breach: An attacker gains access to an account with authority to modify federated domain settings, such as a global administrator or security administrator.
Creation of a malicious federated domain: A compromised account is used to either create a new federated domain or modify an existing one by configuring it to authenticate through a malicious IdP controlled by the attacker.
Generating forged authentication tokens: An attacker generates forged Security Assertion Markup Language (SAML) tokens, a tactic known as “Golden SAML,” that allows him to impersonate any user within the client, including users with multi-factor authentication (MFA).
Persistence: An attacker manipulates the settings of a federated domain to ensure persistent access. Even if the original compromised account is disabled, the federated domain acts as a backdoor, enabling re-login.
Facilitate Lateral Movement: Using trust relationships and federation settings, attackers can move laterally between connected tenants, extending their reach within the cloud infrastructure, gaining access to sensitive data, or further escalating privileges.
To maintain control over a compromised environment, SCATTERED SPIDER uses a variety of Remote Desktop and Remote Monitoring and Management (RMM) tools, as well as protocol tunneling and proxy tools. This allows them to interact with hosts on the victim’s network and hide their activities.
Remote Desktop and RMM Tools: SCATTERED SPIDER deploys a number of RMM tools, including AnyDesk, TeamViewer, RustDesk, and MeshCentral. These tools allow an attacker to establish remote connections to victim hosts, facilitating lateral movement and continuous monitoring.
Protocol and Proxy Tunneling Tools: MobaXterm, Ngrok and Proxifier are used by SCATTERED SPIDER to establish SSH connections and create reverse proxies. These tools allow an attacker to bypass network defenses and maintain a presence in the victim’s environment, often using these tunnels to securely communicate with compromised systems.
SCATTERED SPIDER uses techniques to avoid detection and disable security measures in targeted environments. These techniques bypass enterprise defenses, allowing an attacker to maintain resistance and perform malicious activities with minimal intervention.
Local Proxies: SCATTERED SPIDER uses local proxies like NSOCKS and Faceless to hide its real IP address.This tactic makes it appear as if they are logging into victim accounts from the same geographic region as the legitimate account owner, helping them avoid detection mechanisms such as “impossible travel” alerts.
Exploitation of victim protection tools: By compromising accounts with SSO access to Endpoint Detection and Response (EDR) tools, SCATTERED SPIDER gains the ability to disable detection on compromised hosts.The attacker also uses the remote shell features of these tools to perform network reconnaissance and deploy remote management tools.
Disabling security tools : SCATTERED SPIDER often uses public scripts, such as privacy-script.bat, to disable Microsoft Defender features and change Windows Firewall settings. This is usually done right before the ransomware is deployed to minimize the risk of detection.
Virtual Machine Creation: To avoid detection and maintain persistence, SCATTERED SPIDER creates custom virtual machines (VMs) in cloud environments such as AWS, Azure, and VMware. These virtual machines are used as unmanaged hosts on the network, allowing an attacker to create tools and remotely access other network hosts.
Malicious Mail Transport Rules: SCATTERED SPIDER configures mail transport rules in victim Microsoft 365 (M365) clients to redirect security-related emails to addresses controlled by attackers. This prevents the victim organization from receiving suspicious activity alerts or security alerts.
Safe Mode Reboot: An attacker reboots systems into Safe Mode using the bcdedit command to disable or remove protected services, including security products. This mode gives them more flexibility to operate in the victim’s environment without interference.
SCATTERED SPIDER uses various tools and techniques to gain unauthorized access to credentials in traditional Active Directory (AD) environments and cloud-based identity systems such as Microsoft Entra ID (Azure AD). This access allows an attacker to elevate privileges and maintain persistence in the victim’s infrastructure.
Cloud Identity Exploitation: SCATTERED SPIDER uses scripts to enumerate and remove multi-factor authentication (MFA) methods from compromised accounts in Microsoft Entra ID. By resetting MFA, an attacker reduces the likelihood of their activity being blocked by additional authentication measures.
Credential dump: An attacker often uses tools such as GoSecretsDump [13] to obtain password hashes and Kerberos keys from domain controllers. This is usually done after creating snapshots of victim servers in Azure or VMware environments, which are then connected to computers controlled by the attackers.
Access to cookies: To support access to cloud services, SCATTERED SPIDER uses browser extensions such as Cookie Quick Manager and EditThisCookie to steal session cookies, allowing them to authenticate to services such as Microsoft 365 (M365) without having to re-enter credentials.
SCATTERED SPIDER uses various data mining techniques to collect sensitive information from victim environments, such as AWS S3 bucket and M365 SharePoint data. Attackers often use remote storage services and Extract Transform Load (ETL) tools to facilitate this process.
Remote Storage Services: SCATTERED SPIDER frequently downloads and uploads data to remote storage services such as S3 buckets, BackBlaze, and other cloud storage solutions. An attacker uses tools like S3 Browser to manage these operations, ensuring that large amounts of data can be stolen with minimal detection.
ETL Tools: SCATTERED SPIDER uses ETL tools like AirByte, S3 Browser, and Stitch to synchronize and extract data from the victim’s environment. These tools are often configured using compromised email addresses to create accounts that facilitate the transfer of data from internal systems such as ZenDesk Support and Salesforce to attacker-controlled servers.
Additional methods: SCATTERED SPIDER has also been found to use compromised email addresses to send data directly to accounts controlled by attackers, upload victim data to GitHub repositories, and use file sharing services such as filedropper[.]com and file[.] io to extract confidential information.
SCATTERED SPIDER focused on deploying ransomware in cloud environments, primarily targeting VMware vSphere ESXi Infrastructure as a Service (IaaS). Their deployment tactics are often automated using customized scripts to effectively execute ransomware.
Targeting VMware ESXi: SCATTERED SPIDER deploys AlphV ransomware binaries on ESXi hosts. Ransomware execution is automated by passing certain arguments and targeting IP addresses defined in the ransomware configuration.
Automated deployment via Azure: In late 2023, SCATTERED SPIDER was observed using the Run Azure command to execute shell scripts that deploy ransomware to an Azure client. These scripts were designed to stop security services, download the ransomware executable from cloud storage, and execute it, effectively encrypting the victim’s data with minimal intervention.
Persistence and control: To maintain control and ensure successful ransomware deployment, SCATTERED SPIDER frequently changes administrator passwords on VMware ESXi hypervisors and can disable security tools before launching the ransomware. This makes it difficult to recover the victim.
Implementation of MFA with SIM-swapping support: Enforcing Microsoft Authenticator with number matching, removing SMS as an MFA verification option to prevent SIM-swapping attacks and increase security against common TTPs used by attackers.
Apply conditional access policies: Apply conditional access policies to restrict access to critical systems. For example, it requires MFA for all users and especially for administrators, providing phishing-resistant types of MFA like Windows Hello for Business.
Multi-factor for sensitive operations: Require two authentication methods for sensitive operations, such as password reset or MFA change, and require video verification to verify the user’s identity during such processes.
Restrict account permissions: Ensure that low-privilege user accounts are not allowed to modify the account or security policies, and use separate administrator accounts to prevent privilege escalation.
Suspicious behavior detection: Watch for unusual patterns, such as high-risk logins or changing password reset requests, especially during non-business hours. Implement alerts for key actions such as Windows login password changes or unauthorized MFA device enrollment.
Cloud activity monitoring: Track and analyze changes to the cloud environment, such as firewall modifications, high outbound traffic, or unusual API call counts that may indicate contention or service enumeration.
Secure communication channels: In suspected compromise scenarios, use out-of-band communication channels for critical exchanges. Make video calls with identity verification a standard for help desk operations, including password reset or MFA requests.
Restrict access: Disable SSH access to VMware ESXi hosts, enable lockdown mode, and segment ESXi management interfaces to minimize the risks of unauthorized access. Limit cloud administrative roles with conditional access policies that ensure secure login methods and device compliance.
Audit and control: Regularly audit domain and local accounts with a focus on identifying and limiting privileged account credentials that can be exploited by attackers.
Monitor changes in the cloud: Constantly monitor new virtual machine creations, firewall rule changes, and large volumes of outbound traffic. Set alerts for anomalies that may signal a breach or attack in progress, such as enumeration of administrative accounts.
Backup Protection: Track any snapshot deletions and set up alerts to identify and respond to potential ransomware actions to delete backups for maximum damage.
Restrict network access: Restrict wide inbound/outbound Internet access to hypervisors, domain controllers, and other mission-critical systems. Use conditional access policies to limit administrative access based on trusted network locations and device compatibility.
Secure remote services: Disable unnecessary remote services and provide centralized access through secure proxies, gateways, or managed remote access systems such as VPNs.
Enable and monitor logging: Make sure logging is enabled for mission-critical data warehouse solutions and monitor for high outbound traffic that may indicate attackers are trying to steal data.
Apply local eviction: In cases of suspected compromise, follow a structured recovery process, including restoring the Active Directory forest, mass password resets, and scrutinizing access control lists (ACLs) to eliminate adversary strongholds.
Regularly check domains that prevent replication, such as your organization’s legitimate domains, especially those that target your cloud environment. Protect these domains early to prevent phishing attacks and social engineering tactics.
Force process approval: Require multiple users to approve sensitive roles such as global administrator. Continuously monitor the creation of new privileged users or changes in authentication factors to prevent unauthorized privilege escalation.
Client-to-Client Access Add-Party Auditing: Track unauthorized or suspicious changes to client access settings in Azure AD by tracking the operation, initiating user, and involved tenants.
Detect abuse of managed identity federated credentials: Use AzureActivity or similar logs to detect when federated credentials are added to a managed identity. Look for transactions that indicate the creation of these credentials and potentially correlate these events with known trusted sources or entities.
RMM Software Discovery Query: Use the DeviceProcessEvents logs to discover processes related to Remote Monitoring and Management (RMM) software. This query filters events within a specified time period, focusing on processes from known RMM software vendors. It excludes device activity from a predefined exclusion list and then sorts the results by timestamp, allowing you to quickly identify and investigate potentially unauthorized use of the RMM software.
1171 
1494 
379