New report sheds light on “Scattered Spider”’s ability to take over identity providers
The group "register their own MFA tokens [and] add a federated identity provider to the victim’s SSO tenant and activate automatic account linking..."
CISA and the FBI have shed more light on the tactics of a prolific cybercrime threat group known as “Scattered Spider” that includes native English speaking actors skilled at social engineering attacks.
The loosely knit group, known as Octo Tempest by Microsoft, has been connected to the hacks of the MGM Grand, Riot Games, and MailChimp among others and utilises a wide range of hands-on techniques.
Unusually, it appears to have started working with Eastern European cybercriminal groups as an affiliate, deploying ransomware, data exfiltration and double-extortion-type attacks, increasingly, Microsoft earlier reported, even including physical threats of violence.
(404 Media has a colourful write-up on the rise of young western cybercrime groups here. Sickeningly, it notes that some corners of this rising subculture have, as the FBI warned, extended extortion from the financial to the personal with young women often targets and “extortion and abuse as a… core feature of their membership. The end goal for some members is “forcing the minors they extort into committing suicide on live-stream for their own entertainment or their own sense of fame.”)
As CISA’s report this week emphasises however, whilst Scattered Spiders’ TTPs vary, social engineering attacks to gain control over phones handling MFA or pretending to be IT help desk remain central to its approach.
(This also includes SIM swapping: Gathering personal data about a target, then contacting their telecom provider and pretending to have lost their phone and needing to transfer a number to a new one; too often telcos will port the SIM to a new device. CISA has urged greater controls here.)
Powerfully, CISA said this week, after compromising a user’s account to establish persistence, Scattered Spider threat actors then “register their own MFA tokens [and] add a federated identity provider to the victim’s SSO tenant and activate automatic account linking” – letting them “sign into any account by using a matching SSO account attribute.
“At this stage, the Scattered Spider threat actors already control the identity provider and then can choose an arbitrary value for this account attribute. As a result, this activity allows the threat actors to perform privileged escalation and continue logging in even when passwords are changed” CISA warned. “Additionally, they leverage common endpoint detection and response (EDR) tools installed on the victim networks to take advantage of the tools’ remote-shell capabilities and executing of commands which elevates their access” the agency added.
Mitigations broadly include implementing FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA that is resistant to phishing and not susceptible to push bombing or SIM swap attacks – as widely as possible across the organisation, but particularly for webmail, VPNs, and accounts that access critical systems. Deeper TTPs and further mitigations are here.