Scattered Spider Escalates Attacks on Financial Services Cloud Environments

A new report from Eclectic IQ has shed light on malicious cloud-conscious activities believed to be linked to the notorious Scattered Spider cybercrime gang, with a focus on attacks targeting the insurance and financial services sectors.

The report titled “Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries” covers suspected Scattered Spider cyberattacks against cloud environments, which Eclectic IQ analysts observed between 2023 and Q2 of 2024. Based on Eclectic IQ’s analysis, the “infrastructure and methodologies observed” during the research period—“particularly the automated generation of phishing pages—strongly align with the SCATTERED SPIDER activity cluster.”

Scattered Spider is a loosely knit threat actor collective that shot to notoriety with high-ticket ransomware attacks in August 2023. The group is differentiated by the relative youth of its members, with most being in their late-teens-to-early-20s, and their prodigiously deviant intrusion capabilities.

CrowdStrike coined the Scattered Spider moniker, the most commonly used naming convention for the group. Other security vendors have dubbed the threat group as UNC3944 (Mandiant), Octo Tempest (Microsoft), 0ktapus (Group-IB), Muddled Libra (PAN Unit 42), and Scatter Swine (Okta). CrowdStrike has also classified Scattered Spider as an eCrime adversary, meaning the gang is primarily motivated by financial gain.

Scattered Spider is particularly inventive and adept when it comes to social engineering and navigating cloud environments. A November 2023 joint cybersecurity advisory (CSA) issued by the Federal Bureau of Investigation and the Cybersecurity Infrastructure Agency said these “threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).”

This collective emerged from the toxic “Com” cybercrime ecosystem and cut their teeth conducting multi-million-dollar SIM swap attacks targeting wealthy cryptocurrency investors. The Com itself stems from the Minecraft gamer community, specifically the hardcore factions (HCF) mode of the game. This community of cybercrime-curious gamers began to form sometime around 2016 or 2017.

Many Scattered Spider members are also involved with Com-nexus cybercrime, violence as a service (VaaS), sextortion, and accelerationist syndicates like Lapsus$, 764, and Order of Nine Angels (O9A). In the screenshot from a Com/Scattered Spider-nexus Telegram channel below, threat actor ‘scarlet the meow cat,’ a high-reputation Scattered Spider associate, alleges links between the anti-social arachnids, Lapsus$, and 764. These links have been reported in greater detail by KrebsOnSecurity.

Scarlet the meow cat makes allegations about the leadership of Scattered Spider

Source: Telegram

Scarlet the meow cat discusses the origins of the Com

Source: Telegram

Notably, ‘scarlet the meow cat’ is just one of many aliases used by ‘Judische,’ the infamous cybercriminal that hacked the Snowflake cloud data warehousing service earlier this year. This supply-chain attack led to secondary breaches of at least 165 organizations that used Snowflake for their storage needs. The Snowflake attack further illustrates the vulnerability of cloud environments to Scattered Spider-nexus threat actors.

In fact, CrowdStrike’s “2024 Threat Hunting Report” said that Scattered Spider “remains the most prominent adversary in cloud-based intrusions, conducting 29% of all associated activity observed in 2023.”

Based on research conducted by Austin Larsen, a senior threat analyst at Google, Judische/scarlet is likely a male based in Canada in their 20s who openly displays Nazi sympathies, according to Bloomberg.

The link between the Snowflake hacker and the Scattered Spider threat actor collective is significant and may indicate that scarlet/Judische commands “shotcaller” style respect from other affiliates of the group. An X(Twitter) alias used by Judische/scarlet, @0psecgod, further insinuates the threat actor’s involvement with the Scattered Spider collective.

0psecgod (AKA Judische/scarlet) boasts about Scattered Spider’s untouchability

Source: X

Scattered Spider threat actors rapidly evolved from SIM swapping frauds to partnering with elite ransomware as a service (RaaS) operators like the now-defunct ALPHV. According to cybersecurity reporter Brian Krebs, this RaaS affiliate partnership was “the first known case of native English-speaking hackers in the United States and Britain teaming up with ransomware gangs based in Russia.”

In the wake of ALPHV’s dissolution earlier this year, a July report from Microsoft claimed that Scattered Spider members are increasingly partnering with RansomHub and Qilin RaaS operators. Scarlet the meow cat, who claims to have previously used the RansomHub locker in their attack campaigns, has said in closed Com Telegram channel chats that this ransomware brand has actually morphed into a partnership between ex-ALPHV members and LockBit.

Scarlet the meow cat alleges a merger between ALPHV and LockBit

Source: Telegram

Over the past year, at least three alleged members of Scattered Spider have been arrested in the U.S., Spain, and the UK, including one suspected ringleader of the gang, 22-year-old Scotsman Tyler “tylerb” Buchanan. In September, a 17-year old was arrested in the UK on suspicions of hacking Transport for London (TfL), the city’s public transportation agency. The age of the suspect led some prominent cyber-threat intelligence analysts to speculate that the arrest was related to Scattered Spider as well.

10 Scattered Spider TTPs

Eclectic IQ analysts tracked and analyzed cyberattacks targeting identity administrators in cloud environments during the last 18 months, according to the report. The report “findings indicate that SCATTERED SPIDER frequently compromises corporate networks through social engineering tactics against cloud user accounts.”

Eclectic IQ cites 10 primary tactics, techniques and procedures (TTPs) employed by the gang to gain illicit access to cloud infrastructure, including:

• Accidental cloud authentication token leakage

• Phishing and smishing campaigns targeting cloud services and high-privileged accounts

• Credential stealers and initial access brokers

• SIM swapping attacks to bypass MFA and access SaaS applications

• Leveraging open-source tools for cloud reconnaissance

• Abusing cross-tenant synchronization in Microsoft Entra ID

• Leveraging federated identity providers for persistent access

• Leveraging remote monitoring and management and protocol tunneling tools

• Impairing security tools and defense evasion

• Exploiting active directory and cloud identity systems

In the following sections, ExtraHop will elaborate on the three most salient TTPs that emerge from Scattered Spider’s sprawling web.

Accidental Cloud Authentication Token Leakage

Eclectic IQ notes that “accidental credential leakage remains a prevalent method” for gaining unauthorized access to cloud environments. Scattered Spider weaponizes “leaked cloud authentication tokens from publicly exposed code repositories like GitHub due to hardcoded credentials in application code,” according to the report.

Specifically, threat actors run open-source code repositories through automated tools designed to detect sensitive Git “secrets” like API keys, passwords, tokens, and other access credentials.

Fortunately, organizations can mitigate the risk of these types of attacks by leveraging GitHub security tools like “secret scanning.” This tooling helps developers proactively identify exposed secrets.

In the XSS article below, threat actor ‘Bratva,’ a prominent forum administrator, details some of the general methods cloud-conscious adversaries can use to locate and abuse leaked AWS credentials and other secrets in public clouds. Threat intelligence research from RedSense has also previously alleged that Bratva was “one of the main LockBit affiliate promoters” in 2023.

XSS forum administrator Bratva teaches black hats how to find useful things in public clouds

Source: XSS

Notably, Bratva’s XSS article advises forum members to use the GrayHat Warfare cloud search engine to identify open Amazon S3 buckets and comb through their contents. Amazon S3 is one of the most widely used cloud-based services on the market.

Phishing and Smishing Campaigns Target Cloud Services and High-Privileged Accounts

Eclectic IQ’s high-confidence attribution of the observed financial services attack campaigns to Scattered Spider is primarily centered on the automated generation of phishing pages. Specifically, suspected Scattered Spider members operationalized “phishing campaigns to compromise high-privileged user accounts, such as those of IT service desk administrators and cybersecurity teams,” according to Eclectic IQ.

These attacks focused on “cloud-based services like Microsoft Entra ID and AWS EC2,” reported Eclectic IQ. Furthermore, Eclectic IQ said that these threat actors target “Software as a Service (SaaS) platforms such as Okta, ServiceNow, Zendesk, and VMware Workspace ONE by deploying phishing pages that closely mimic single sign-on (SSO) portals.”

Dovetailing with these methods, Eclectic IQ analysts noted that these threat actors have been “using SMS phishing (smishing) techniques through text messages.” According to the report, smishing has become a favored tactic for cybercriminals “due to its ability to bypass traditional email filters and directly target users on their mobile devices.” Eclectic IQ observed the use of smishing tactics in campaigns that targeted the insurance and financial services sectors.

The report further elaborated on how these smishing attacks were staged: “Smishing attacks target identity administrators in cloud infrastructures by prompting them to enter credentials for VMware Workspace ONE, a platform critical for application management and identity access policies.”

Additionally, Eclectic IQ noted that these “campaigns typically target victims through SMS messages, tricking them into clicking links that lead to phishing websites aimed at stealing login credentials and intercepting one-time passwords (OTPs).” This method allows attackers to gain unauthorized access to accounts protected by MFA.

According to the report, Scattered Spider’s phishing domains “predominantly use the .com and .net top-level domains (TLDs), often typosquatting legitimate” organizations’ domain names. These domains typically include strings such as “ServiceNow”, “hr”, “corp”, “dev”, “okta”, “sso” and “workspace,” according to the report.

Credential Stealers and Initial Access Brokers

Not surprisingly, Eclectic IQ uncovered a strong nexus between credential stealers (infostealers) and the suspected Scattered Spider attack campaigns covered in their report. Infostealers were the primary intrusion vector for 61% of all data breaches in 2023, according to recent research published by SpyCloud. The SpyCloud report claimed that 343 million user credentials were compromised by infostealers last year.

Infostealers are relatively primitive malware binaries programmed to swipe credentials and other digital fingerprints from victims. People typically get compromised by infostealers via the downloading of pirated software or streaming media, clicking on malicious phishing links, or interacting with tripwired digital ads. Additionally, platforms like GitHub are increasingly being weaponized by Scattered Spider-linked attackers to spread infostealer infections via malicious code repositories.

According to the Eclectic IQ report, “analysts observed the sale of authentication tokens and user credentials for cloud platforms like AWS, Azure, and GCP on Russian and English-speaking underground forums” like RussianMarket and XSS.

The report said that Scattered Spider operations rely on the following stealer families: Stealc, Raccoon, Vidar, and RedLine. Cloud tokens harvested by these stealers “provide attackers seamless access to cloud resources, bypassing traditional authentication,” according to the report.

In the XSS forum post below, threat actor ‘Sultan,’ the developer of Vidar Stealer, responds to a question related to Scattered Spider from a February 2024 interview with community member ‘defaultuser0’. Sultan uses the alias ‘loadbacks’ on XSS.

XSS interview with Vidar Stealer developer Sultan, also known as ‘loadbacks’

Source: XSS

The interviewer tells Sultan that “U.S. authorities are clearly interested in you,” and shares a screenshot of the 2023 joint FBI-CISA advisory documenting Scattered Spider’s TTPs and the gang’s use of Vidar Stealer.

Pivoting back to Eclectic IQ's research, their report spotlights the StealC infostealer and how this malware explicitly searches for data related to “.aws and .azure directories in Windows endpoints, which typically contain configuration files and credentials for accessing these cloud services."

Eclectic IQ also said that “Stealc scans for the %LOCALAPPDATA%\ .IdentityService\msal. cache file, where Azure Active Directory tokens are cached.” Armed with these tokens, threat actors can “access cloud resources without going through the usual authentication processes,” said the report.

Enhancing Cloud Resilience With Modern NDR

Other noteworthy attack signatures linked to these suspected Scattered Spider campaigns include SIM swapping to bypass MFA and access SaaS applications, leveraging RMM and protocol tunneling tools, impairing security tools and defense evasion, and exploiting Active Directory and cloud identity systems.

“To maintain control over compromised environments,” Eclectic IQ notes that Scattered Spider employs a range of RMM tools, as well as “protocol tunneling and proxy tools.” RMM toolsets used by the threat group include AnyDesk, TeamViewer, RustDesk, and MeshCentral.

On the protocol tunneling and proxy side, the group abuses MobaXterm, Ngrok, and Proxifier to “establish SSH connections and create reverse proxies.” This method enables threat actors to bypass network defenses and “maintain a presence within the victim's environment, often using these tunnels to communicate with compromised systems securely,” according to the report.

When it comes to exploiting Active Directory and cloud identity systems, Scattered Spider uses “scripts to enumerate and remove” MFA methods from compromised accounts in Microsoft Entra ID, according to the report. These threat actors also force credential dumping in compromised systems by “creating snapshots of victim servers in Azure or VMware environments” and then using tools like “GoSecretsDumps to extract password hashes and Kerberos keys from domain controllers,” said the report.

Regarding Scattered Spider’s recent suspected targeting of financial services and insurance firms, the International Monetary Fund noted in a report published earlier this year that the “financial sector is uniquely exposed to cyber risk.” The organization clarified, “Given the large amounts of sensitive data and transactions they handle,” financial firms are “often targeted by criminals seeking to steal money or disrupt economic activity.”

IMF research also found that financial firms account for nearly one-fifth of all cyberattacks, “of which banks are the most exposed,” according to the report. Further highlighting the vulnerability of the cloud, the IMF report noted that financial firms are increasingly relying on “third-party IT service providers, and may do so even more with the emerging role of artificial intelligence.”

These external providers, many of which service their customers via API-based SaaS integrations in the cloud, also “expose the financial industry to systemwide shocks,” according to the IMF. Consider, for example, the 2023 ransomware attack on a cloud IT provider that caused concurrent outages at 60 U.S. credit unions.

Given the sophisticated methods operationalized by Scattered Spider actors to compromise sensitive cloud environments, organizations can no longer rely on endpoint detection and response (EDR) and security incident and event management (SIEM) tools alone.

A modern network detection and response (NDR) platform like RevealX from ExtraHop provides organizations with expanded visibility and capabilities to evolve their cloud security postures and disentangle themselves from Scattered Spider’s deepening web. RevealX combines full-spectrum packet capture (PCAP), industry-leading protocol decryption capabilities, and cloud-scale machine learning to apply more than one million predictive models when analyzing traffic in real-time.

Additionally, the tool performs behavioral anomaly modeling based on 5,000-plus unique attributes, which are guided by threat intelligence sourced from petabytes of real-world data. RevealX merges these powerful features to secure cloud workloads, detecting all lateral movement in East-West corridors.

Specifically, RevealX can seamlessly detect malicious cloud-conscious activity like server-side request forgery (SSRF) and cross-site request forgery (CSRF) payload attacks, credential enumeration, and data staging and exfiltration. As Scattered Spider deepens its synergies with high-threat RaaS gangs and escalates its big game hunting (BGH) attacks on financial services cloud environments, RevealX has become essential to illuminate EDR’s and SIEM’s blind spots and secure hybrid organizations.