By Adam Koblentz
Ransomware targeting endpoints and on-premises IT infrastructure has been a primary battleground for enterprise security teams in recent years. One of the highest-profile threat actor groups in this space is Scattered Spider, which is also referred to by security vendors and researchers as UNC3944, Scatter Swine, Octo Tempest, 0ktapus, and various other names.
But while successful ransomware attacks against organizations like Caesars and MGM Resorts further increased the group’s profile in 2023, it’s important to note that the group’s power does not come from ransomware itself, which is in many ways a commodity. Rather, Scattered Spider’s unique strength is its skill at executing sophisticated account takeover attacks.
While the group has often used account takeover to introduce ransomware payloads to target organizations in recent years, it has a history of using similar tactics to target software-as-a-service (SaaS) applications. Recent intelligence shared by Mandiant suggests that the group is ramping up its efforts in this area once again.
Let’s explore some of the details behind this escalating threat to SaaS applications, what may be driving it, and what you can do to better protect your SaaS footprint from these types of threats.
A Brief History of Scattered Spider
Scattered Spider has been active since at least May 2022 and has origins in SIM swapping and SMS-based phishing attacks. They appear to be financially motivated, often using data breaches and ransomware as a means to extort financial payment from businesses. They are known for using sophisticated social engineering tactics, including impersonation of IT staff, to gain initial access to target organizations. Many of the group members are believed to be in their late teens and early twenties, a theory supported by two arrests of alleged group members in recent months. In January 2024, U.S. authorities arrested a 19-year-old from Florida with alleged ties to the group. And more recently, in June 2024, the group’s alleged leader, a 22-year-old UK resident, was also arrested. Despite these arrests, continuing activity from the group is expected.
Targeting MGM Resorts with sophisticated account takeover tactics
Scattered Spider made headlines in 2023 with successful ransomware attacks against two prominent casino and entertainment companies, Caesars and MGM Resorts. Caesars opted to pay a $15 million ransom to regain access to its data, while MGM Resorts suffered a 10-day disruption of critical computer systems, extensive customer data exfiltration, and an overall estimated financial impact of $100 million. The MGM Resorts breach is illustrative of the techniques the group uses to defeat modern multi-factor authentication (MFA) controls. The group reportedly researched the company’s privileged users using public data sources like social networks and used this information to impersonate them in calls to the IT help desk. Eventually, they were successful in tricking the company into performing a password reset. Once in, they unleashed ALPHV/BlackCat ransomware across the company’s critical systems, wreaking havoc on business operations and customer experience.
A history of targeting SaaS authentication infrastructure
While the account takeover objective in the MGM Resorts example was ransomware delivery, Scattered Spider has a history of using similar techniques to gain access to widely used SaaS applications. They have been particularly successful at choosing high-value targets where a single breach can be a stepping stone to accessing the SaaS tenants of many customers.
For example, in 2022, Scattered Spider used smishing (SMS-based phishing) and vishing (voice-based phishing) techniques to target employees of Twilio, a developer-focused SaaS provider. Targets were directed to fake login screens from widely used identity and access management (IAM) platforms like Okta, Azure, and Duo Security to capture credentials and gain access to the company’s systems.
One of Twilio’s widely used offerings is backend communications infrastructure that many SaaS companies, including IAM providers like Okta, use to support SMS-based MFA processes. This illustrates that even highly sophisticated IAM and MFA platforms remain highly vulnerable to account takeover attacks by skilled and motivated threat actors and should not be trusted implicitly.
A renewed focus on SaaS attacks in 2024
As noted above, Mandiant recently published new threat intelligence that indicates that Scattered Spider is increasing its focus on SaaS applications, noting that:
In addition to traditional on-premises activity, Mandiant observed pivots into client SaaS applications. UNC3944 used stolen credentials to access SaaS applications protected by single sign-on providers. Mandiant observed unauthorized access to such applications as vCenter, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and GCP.
Of particular note is Scattered Spider’s focus on IAM platforms like Okta and privileged access management (PAM) products like CyberArk. Like the Twilio example above, successfully breaching these types of platforms has a cascading impact on many organizations’ security. It allows Scattered Spider to repeat the same playbook to gain account access, elevate privileges to advance to their objective, and cover their tracks.
For example, Mandiant shared a specific example of how Scattered Spider is turning organizations’ Okta implementations against them once initial access is secured:
UNC3944 has also leveraged Okta permissions abuse techniques through the self-assignment of a compromised account to every application in an Okta instance to expand the scope of intrusion beyond on-premises infrastructure to Cloud and SaaS applications. With this privilege escalation, the threat actor could not only abuse applications that leverage Okta for single sign-on (SSO), but also conduct internal reconnaissance through use of the Okta web portal by visually observing what application tiles were available after these role assignments.
Mandiant has observed UNC3944 targeting Active Directory Federated Services (ADFS), when in use, specifically to export the ADFS certificates. With these certificates and through the use of a Golden SAML attack , easier and persistent access to cloud-based applications can occur
The critical importance of post-auth detection of identity-based attacks in SaaS applications
While it’s impossible to know Scattered Spider’s exact motivation for ramping up its focus on SaaS applications, it likely comes down to several critical factors:
- A sustained focus on ransomware prevention and response by enterprises – and law enforcement – is making these attacks less appealing.
- Organizations are increasingly entrusting highly sensitive information to SaaS platforms.
- Most organizations place too much trust in the effectiveness of preventative identity security measures and do not effectively plan for situations where they are defeated.
- SaaS security is a shared responsibility between the customer, the SaaS provider, and potentially secondary SaaS providers like IAM platforms, which creates operational gray areas that can be exploited.
As Mandiant notes in its recommendations, one of the most important steps organizations can take to mitigate their SaaS application risk is implementing effective post-authentication monitoring in and across SaaS applications to detect account compromises:
Multiple detection opportunities exist to assist with a speedier identification of possible compromise. Mandiant recommends heightened monitoring of SaaS applications, to include centralizing logs from important SaaS-based applications, MFA re-registrations, and virtual machine infrastructure, specifically about both uptime and the creation of new devices.
This is our singular focus at Reveal Security. We work with our customers to monitor user behavior across SaaS applications and cloud service providers. By quickly and accurately detecting and alerting on suspicious behavior by authenticated identities, our customers bolster their defenses against the techniques that sophisticated threat actors like Scattered Spider use.
Contact us to learn more about Reveal Security’s approach to detection of identity-based attacks in and across SaaS applications and cloud service providers, to enhance your organization’s cyber resilience.