top of page
cyber hacker beagle thinking.jpg
Search

It’s Scattered Spider Season

Aflac, a Fortune 500 insurance company, recently avoided becoming the next target of Scattered Spider. CyberSpeak Labs has provided a high-level overview of this incident and information about Scattered Spider. Discover how to educate your business, recognize common IOCs, and track these advanced threat actors.


Don't Want to Scroll? No Worries!



Aflac Cyber Breach

On June 20th, Aflac publically announced that they had experienced a breach, which they believe involved behaviors and tactics similar to those used by the threat actor group, Scattered Spider. In their press release, Aflac stated that it is currently unknown how much data was accessed or potentially stolen. However, Aflac can confidently assert that ransomware was not deployed in their environment.


Aflac's breach closely resembles the initial stages of similar incidents at MGM Resort and Caesars Entertainment. The threat actor likely employed sophisticated social engineering tactics, including but not limited to:

  • Posing as an employee and calling their IT support.

  • Posing as a legit IT department asking for a password reset.

  • Posing as a legit MFA provider for the company and requesting a MFA reset.


The attacks can become even more advanced if a third-party service like IT support or Cyber is outsourced and has been compromised by Scattered Spider. This situation enables the infiltrated company to act as a hub for threat actors, allowing them to target multiple companies simultaneously by exploiting internal customer information.


In Aflac's incident, the company detected unusual network activity and managed to address the breach within hours. Aflac's cyber and IT teams are still assessing the impact scope but are providing their customers with free credit monitoring and identity theft insurance for two years. You can say that Aflac had escaped the spider's trap.


About Scattered Spider

It is believed that Scattered Spider was originally formed in May 2022, with members likely residing in the United Kingdom and the United States. The group hasn't always been known as Scattered Spider, but has historically gone by several different names.


  • UNC3944

  • Star Fraud

  • Octo Tempest

  • Scatter Swine

  • Muddled Libra

  • ALPHV (affiliate)

  • The Community (affiliate)

  • The Com (affiliate)


Like many experienced threat actors, Scattered Spider has a unique signature in their attacks that can be easily associated with them. This group is recognized for data extortion, ecommerce attacks, and their expertise in social engineering tactics. From previous, and very well known breaches, this group is known to have scattered social engineering techniques that are very advanced from the average cautions in general cyber awareness trainings.

This threat actor group is known to find information about the company and their people through social media pages, company newsletters, or other media outlets. The group will pose as employees or IT support to gain access to unauthorized credentials or one-time-passcodes to obtain MFA credentials.

This group adds an additional level of sophistication by achieving persistence through the use of living-off-the-land binaries (LOLBins) and applications. Examples include, but are not limited to:


  • cmd.exe

  • PowerShell.exe

  • Rundll32


This strategy allows the threat actor to evade detection by standard security tools. Once inside the network, the group is known to collect information stored locally or in the browser. They have even been seen deploying or utilizing known IT support and management tools such as Anydesk, TeamViewer, and Fleetdeck to support data exfiltration and persistence. If Scattered Spider is able to successfully conduct this stage of the attack, the threat actor group is known to move to their final phase of data extortion and ransomware.


Known Successful Breaches

IOCs, Tools, and Tactics

Tools:

  • Legitimate remote desktop management tools. This enables outbound to inbound network access. This can be highly leveraged if not blocked by internal network or host-based firewalls. Scatter Spider has been commonly seen to utilize:

    • Fleetdeck

    • Level

    • AnyDesk

    • Pulseway

    • Teamviewer

    • Splashtop

    • Screenconnect


Associated Malware:


IOCs:

Note: IOCs are often changed or hidden behind legit applications. Please use caution when blocking or hunting on these indicators.


Phishing Domains:

VICTIMCOMPANY-sso[.]com

VICTIMCOMPANY-servicedesk[.]com

VICTIMCOMPANY-okta[.]com

VICTIMCOMPANY-idp[.]com

VICTIMCOMPANY-office[.]com

VICTIMCOMPANY-duo[.]com VICTIMCOMPANY-microsoft[.]com


Attack Kill Chain

  1. Reconnaissance | T1589, T1596

    Information about a company is collected via websites, social media, or news sources. The next step involves locating login portals that accept the company's email addresses, which can commonly be located on the company's website (e.g., support@companydomain[.]com). This information helps threat actors in crafting their phishing campaigns.


  2. Initial Access | T1566, T1585, T1646

    Threat actors will send an email to its targeted victim to reset their MFA, or a phone call mimicking an employee needing IT support. Some reports have also stated the group to conduct SIM swapping.


  3. Credential Access | T1110, T1555, T1003

    The threat actor will spam the user with MFA requests until the user clicks “approve”. This will allow the threat actor onto the victim’s computer and start harvesting credentials saved in browsers or local on the machine.

  4. Persistence | T1136, T1546, T1053

    The threat actors will utilize LOLBins and creating local admin accounts. Some breaches have identified abuse of cloud applications, such as Azure, to bypass traditional login paths. This attack chain has also been identified to use legitimate tools such as AnyDesk, to establish outbound connection through a known application. It has also been noted in some research for this group to deploy mimikatz to maintain a beacon to the threat actor’s service.


  5. Discovery | T1087, T1018, T1086

    The threat actor will utilize native tools such as, cmd.exe and PowerShell.exe to laterally move around the environment to scope how they can scale their attack and identify exposed servers and network protocols. The group has also been identified to compromise the company's social media accounts.


  6. Exfiltration | T1048, T1560 Due to the sophistication of social engineering, Scattered Spider will already use a remote access tool (AnyDesk) or will gain entry through deploying a tool through their own methods. These tools will allow exfiltration and other malicious methods to and from the compromised network.

  7. Impact  | T1486, T1567

    Scattered spider utilizes legit cloud sharing platforms to exfiltrate large amounts of data that is not feasible with desktop management tools. These applications are seen to be OneDrive, Google Drive, Mega, and other related applications. In recent breaches, this threat actor group has been identified to utilize encrypting data and demanding ransom. These extortions and ransom have cost companies millions of dollars to resolve, and that does not include brand and customer trust repairs.



Educating Your Business


  • Train employees to never share passwords, MFA codes, or click reset links unless they initiated it.

  • Reinforce: “IT will never ask you for your password or MFA code.”

  • Show examples of voice phishing (vishing) during security awareness month or incorporate it in cyber training.

  • Teach staff if they received a call from IT and it is not coming from internal numbers, hang up and call back through the real help desk number.

  • Educate staff about remote applications Example: “If you see a remote-control app open and you didn’t start it, report it!” If it is not managed or deployed by IT, report the application.

Comments

bottom of page