Threat Research

Cloud Ransomware: Scattered Spider Aims at Insurance and Financial Sectors

Securonix

EclecticIQ analyzes SCATTERED SPIDER, a ransomware-focused cluster targeting cloud infrastructures in the insurance and financial sectors, using social engineering (phishing, smishing, vishing) to compromise high-privileged accounts and gain persistence. The group leverages leaked cloud tokens, SIM swapping, and legitimate cloud tools to maintain access and deploy ransomware, including against VMware ESXi environments. #ScatteredSpider #BlackCat #ALPHV #VMwareESXi #EntraID #Okta #SIMSwapping #TelecomEnemies

Keypoints

  • SCATTERED SPIDER targets cloud infrastructures, particularly in the insurance and financial sectors.
  • Utilizes social engineering techniques like vishing and smishing to manipulate targets.
  • Employs phishing campaigns to compromise high-privileged user accounts.
  • Leverages leaked cloud authentication tokens for unauthorized access.
  • Uses SIM swapping to bypass multi-factor authentication (MFA).
  • Abuses legitimate cloud tools for malicious activities and persistence, including a Developer-as-a-Service group.
  • Conducts extensive reconnaissance to identify valuable data within cloud environments and for data exfiltration.

MITRE Techniques

  • [T1566] Phishing – Phishing campaigns to compromise high-privileged user accounts. “utilising phishing campaigns to compromise high-privileged user accounts.”
  • [T1003] Credential Dumping – Extracts password hashes and Kerberos keys from domain controllers using GoSecretsDump. “Uses tools like GoSecretsDump to extract password hashes and Kerberos keys from domain controllers.”
  • [T1210] Exploitation of Remote Services – Uses Remote Desktop and Remote Monitoring and Management (RMM) tools for lateral movement and control. “Employs Remote Desktop and Remote Monitoring and Management (RMM) tools for lateral movement and control.”
  • [T1041] Data Exfiltration – Exfiltrates via remote storage and ETL tools. “Utilizes remote storage services and ETL tools to exfiltrate sensitive information.”
  • [T1548] Abuse Elevation Control Mechanism – Modifies federated domain settings for persistent access. “Leverages compromised accounts to modify federated domain settings for persistent access.”

Indicators of Compromise

  • [MD5] context – c7497366fd0d8c9d72f96e7190632a51, b233ff9dcf5520d69f9b75e1424f3271, and 4 more hashes
  • [Malware Family] context – Gosecretsdump, Sliver, BlackCat Ransomware, Phishing HTML Template, and 2 more items
  • [Domain] context – revolut-ticket.com, servicenow-help.com, and 7 more domains

Read more: https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint