A financially motivated, very active and fast evolving cyber-crime group dubbed as 'SCATTERED SPIDER' by CrowdStrike was under radar of this security company and now they published a detailed report of the activity and techniques used by this group.
"In this attack campaign, the adversary demonstrates persistence in trying to gain access to victim environments and performs constant, and typically daily, activity within the target environment once access is gained. It is imperative for organizations to swiftly implement containment and mitigation actions if this adversary is in the environment. In multiple investigations, CrowdStrike observed the adversary become even more active, setting up additional persistence mechanisms, i.e. VPN access and/or multiple RMM tools, if mitigation measures are slowly implemented. And in multiple instances, the adversary reverted some of the mitigation measures by re-enabling accounts previously disabled by the victim organization.
Also of note, as CrowdStrike assisted one organization through the investigation and to a successful containment phase, the adversary moved onto other organizations in the same vertical. CrowdStrike was subsequently engaged to support the new victim organizations battling against the same campaign, as evidenced by overlapping indicators of compromise (IOCs) and techniques.
In all observed intrusions, the adversary attempted to leverage access to mobile carrier networks from a Telco or BPO environment, and in two investigations, SIM swapping was performed by the adversary." said in his blog.
Activity starts with the initial access which is gained by social engineering where the group used Phone calls, SMS or IM to pretend that they belong to IT staff and push the user to credential harvesting website where user assume that it ia original company website and entered the login credential or or downloading a RMM tool which allow RAT like connectivity to the threat actor.
Threat group also use the CVE-2021-35464 to exploit the weak OpenAM application server.
"CrowdStrike incident responders observed that in many cases, the adversary gained access to the organization’s MFA console to add their own devices (as an additional device per user) as trusted MFA devices. The devices would be assigned to compromised users for whom they had captured credentials. This technique, performed by taking advantage of user self-enrollment policies with the MFA provider, allowed the adversary to maintain a deeper and less obvious level of persistence instead of simply installing a remote access trojan to maintain access" said in his report.
No comments:
Post a Comment