Scattered Spider, also referred to as UNC3944, Scatter Swine, Muddled Libra, and Roasted Oktapus, is a financially motivated threat actor group that has been active since May 2022. Scattered Spider has largely been observed targeting telecommunications and Business Process Outsourcing (BPO) organizations. However, recent activity indicates that this group has started targeting other sectors, including critical infrastructure organizations.
Despite this change in targets, Scattered Spider continues to leverage a variety of social engineering tactics, including Telegram and SMS phishing, SIM swapping, MFA fatigue, and other tactics as part of their attacks. This group has often been observed impersonating IT personnel to convince individuals to share their credentials or grant remote access to their computers, has been linked to several past phishing campaigns and deployments malicious kernel drivers – including the use of a signed but malicious version of the Windows Intel Ethernet diagnostics driver.
Tools
Scattered Spider uses POORTRY and STONESTOP to terminate security software and evade detection.
In April 2023, ALPHV (BlackCat) ransomware group usedan updated version of POORTRY to compromise the US payments giant NCR,leading to an outage on its Aloha point of sale platform.
Vulnerability Exploits
Scattered Spider is known to exploit CVE-2015-2291 which is a vulnerability in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys) that allows local users to cause a denial of service or possibly execute arbitrary code with kernel privileges via a crafted (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, or (d) 0x80862007 IOCTL call. Scattered Spider exploited CVE-2015-2291 to deploy a malicious kernel driver in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).
Additionally, Scattered Spider has exploited CVE-2021-35464 which is a flaw in the ForgeRock AM server. ForgeRock AM server versions before 7.0 have a Java deserialization vulnerability in the jato. page Session parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier. Scattered Spider exploited CVE-2021-35464 to run code and elevate their privileges over the Apache Tomcat user on an AWS instance. This was achieved by requesting and assuming the permissions of an instance role using a compromised AWS token.
Impact
Scattered Spider is known for theft of sensitive data and leveraging trusted organizational infrastructure for follow-on attacks on downstream customers.
Trellix Product Coverage
Trellix Endpoint, Network, and Email Security offers a multi-layered detection strategy for Scattered Spider activities including checks on the IOCs and behavior alanalysis to ensure that any potential threat is discovered and stopped from doing harm to our customers. To stay ahead of new and evolving threats, our products continuously monitor and update their threat intelligence databases. That includes the Trellix Multi-Vector Virtual Execution Engine, a new anti-malware core engine, machine-learning behavior classification and AI correlation engines, real-time threat intelligence from the Trellix Dynamic Threat Intelligence (DTI) Cloud, and defenses across the entire attack lifecycle to keep your organization safer and more resilient.
Trellix Protection
| Product | Signature |
| Endpoint Security (ENS) | LINUX/Agent.bj |
| FireEye Scanner | Trojan.Linux.Generic.289912 |
MITRE ATT&CK Techniques/Sub Techniques
MITRE ATT&CK ENTERPRISE
| INITIAL ACCESS | EXECUTION | PERSISTENSE | PRIVILEGE ESCALATION | DEFENCE EVASION | CREDENTIAL ACCESS | LATERAL MOVEMENT | COLLECTION | EXFILTRATION | IMPACT |
| T1566: Phishing | T1053: Scheduled Task/Job | T1053: Scheduled Task/Job | T1068: Exploitation for Privilege Escalation | T1036: Masquerading | T1056: Input Capture | T1021.001: Remote Services: Remote Desktop Protocol | T1056: Input Capture | T1041: Exfiltration Over C2 Channel | T1496: Resource Hijacking |
| T1133: External Remote Services | T1059: Command and Scripting Interpreter | T1133: External Remote Services | T1134.001: Access Token Manipulation: Token Impersonation/Theft | T1553.002: Subvert Trust Controls: Code Signing | T1210: Exploitation of Remote Services | T1115: Clipboard Data | |||
| T1190: Exploit Public-Facing Application | T1106: Native API | T1176: Browser Extensions | T1053: Scheduled Task/Job | T1134.001: Access Token Manipulation: Token Impersonation/Theft | |||||
| T1195.002: Compromise Software Supply Chain | T1140: Deobfuscate/Decode Files or Information | ||||||||
| T1564: Hide Artifacts |
MITRE ATT&CK MOBILE
| COLLECTION | NETWORK EFFECTS |
| T1616: Call Control | T1451: Sim Card Swap |
Mitigations
1. M1051: Update software
Update software regularly by employing patch management for internal enterprise endpoints and servers to mitigate exploitation risk.
2. M1017: User training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spear phishing, social engineering, and other techniques that involve user interaction.
3. M1011: User Guidance
Users should be instructed to use forms of multifactor authentication not subject to being intercepted by a SIM card swap, where possible. More secure methods include application-based one-time passcodes (such as Google Authenticator), hardware tokens, and biometrics. Additionally, users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.
4. M1049: Antivirus/Antimalware
Anti-virus can be used to automatically quarantine suspicious files.
5. M1040: Behavior Prevention on Endpoint
Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures).
6. M1045: Code Signing
Require signed binaries and enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.
7. M1038: Execution Prevention
Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed. Additionally, consider blocking the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Validate driver block rules in audit mode to ensure stability prior to production deployment.
8. M1021: Restrict Web-Based Content
Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc.
9. M1022: Restrict File and Directory Permissions
Use file system access controls to protect folders such as C:\Windows\System32.
10. M1042: Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
11. M1048: Application Isolation and Sandboxing
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualizations and application micro segmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.
12. M1031: Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.
13. M1032: Multi-factor Authentication
Use two or more pieces of evidence to authenticate to a system, such as username and password in addition to a token from a physical smart card or token generator.
14. M1050: Exploit Protection
Security applications that look for behavior used during exploitation can be used to mitigate some exploitation behavior. Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring.
15. M1019: Threat Intelligence Program
Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.
16. M1026: Privileged Account Management
Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object.Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.
17. M1018: User Account Management
Restrict users and accounts to the least privileges they require. An adversary must already have administrator level access on the local system to make full use of this technique.
18. M1047: Audit
Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges.
19. M1028: Operating System Configuration
Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled.
20. M1035: Limit Access to Resource Over Network
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.
21. M1030: Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.
22. M1033: Limit Software Installation
Block users or groups from installing unapproved software.
23. M1016: Vulnerability Scanning
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.
24. M0810: Out-of-Band Communications Channel
Have alternative methods to support communication requirements during communication failures and data integrity attacks.
25. M1057: Data Loss Prevention
Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.
Covered By: NCN MAGAZINE / Trellix
If you have an interesting Article / Report/case study to share, please get in touch with us at [email protected] [email protected], 9811346846/9625243429.
The post Scattered Spider: The Modus Operandi appeared first on NCNONLINE.
