The Scattered Spider group’s financially motivated threat campaign heavily targets telecommunication and BPO companies. According to investigations, the group has been very elusive with their attacks, challenging many researchers to find them.
The attacks began in the first half of 2022, and many analysts stated that the group has been using several access vectors.
Based on reports, the primary objective of the malicious actors is to obtain access to mobile carrier networks and execute a SIM-swapping attack. The group’s methods for their SIM swapping campaign include social engineering tactics through SMS and calls to impersonate IT personnel.
The social engineering trick via vishing will redirect victims to a credential-harvesting website or deceive them into operating commercial RMM kits.
The financially motivated attack from the Scattered Spider group has successfully evaded security detections.
The Scattered Spider group’s campaign was seen by researchers establishing persistence, reversing defence mitigation, bypassing security detection, and transferring to other targets as soon as they disrupted their target.
Scattered Spider operators also include their own devices to the list of trusted MFA devices after obtaining system access by exploiting a compromised user account.
The researchers also noted that the group uses TeamViewer, ScreenConnect, Anydesk and other RMM tools that are common within a corporate network. This strategy enables the actors to ensure that their malicious activity does not raise suspicions that would alert any security software.
Furthermore, the group utilised various VPN and ISP providers to acquire access to Google Workspace environments, AzureAD, and on-premises infrastructure in all their attacks. They have also established persistence in an infiltrated network and become more active in setting up additional evasive capabilities if detected by security solutions.
In some cases, the actors have reversed some defence mitigations by reactivating accounts previously disabled by their targets.
Cybersecurity experts suggest that users implement MFA for privileged account authentication, spotting vulnerable and infected devices and credentials through custom rules and queries. This method enabled users to enforce real-time threat intelligence alerts for impacted credential identification.
