June 14, 2024 at 11:06AM
Scattered Spider gang, also known as Octo Tempest, engages in social engineering attacks to steal data from SaaS apps. They use SMS phishing and SIM swapping for on-premise access. Their tactics expanded to cloud infrastructures without ransomware. They create new virtual machines, disable security protections, and exfiltrate data to cloud storage services like GCP and AWS. Mandiant recommends better monitoring of SaaS apps to detect potential compromises.
From the meeting notes, the key takeaways are:
1. The Scattered Spider gang, also tracked as a.k.a. Octo Tempest, 0ktapus, Scatter Swine, and UNC3944, engages in social engineering attacks targeting SaaS applications, using techniques such as SMS phishing, SIM swapping, and account hijacking for on-premise access.
2. The gang is a loosely knit collective of English-speaking individuals collaborating to carry out breaches, steal data, and extort targets. They frequently switch between members with skills suited for specific tasks.
3. Mandiant’s report notes that Scattered Spider’s tactics have expanded to cloud infrastructure and SaaS applications for data theft extortion without encrypting systems, as evidenced by an expansion in targeted industries and organizations.
4. Scattered Spider relies on social engineering techniques to gain initial access to privileged accounts and uses Okta permissions to reach victim company’s cloud and SaaS applications. They create new virtual machines for persistence on vSphere and Azure and disable security protections to deploy tools for lateral movement.
5. The threat actor uses legitimate cloud syncing tools to move victim data to cloud storage on reputable services like Google Cloud Platform (GCP) and Amazon Web Services (AWS).
6. Scattered Spider pivots to various client SaaS applications for reconnaissance and data mining, including Microsoft Office Delve for Microsoft Office 365 and endpoint detection and response (EDR) solutions to test their access to the environment.
7. Mandiant recommends implementing multiple detection points to identify potential compromises in cloud-based apps and better monitoring SaaS applications through centralizing logs, MFA re-registrations, and virtual machine infrastructure. Other recommended actions include utilizing host-based certificates with multi-factor authentication for VPN access and creating stringent access policies to control visibility inside a cloud tenant.
Let me know if you need any further information or assistance with additional queries.