ReliaQuest analyzed a Scattered Spider intrusion that spanned cloud and on-prem environments, culminating in data exfiltration and encryption. The attackers used social engineering, Okta/Azure AD abuse, Citrix VDI access, and rapid pivoting with persistence tools to achieve their objectives. #ScatteredSpider #Okta
Keypoints
- ReliaQuest linked the intrusion to Scattered Spider with high confidence after discovering tools and techniques tied to the group.
- Initial access occurred via social engineering that compromised an IT administrator’s Okta account and included MFA fatigue during sign-in.
- The attack rapidly moved from cloud to on-prem environments (less than one hour) leveraging native enterprise apps and admin privileges.
- SharePoint file/directory discovery, Citrix VDI abuse, and AD exploration enabled deeper pivoting and credential access (ADExplorer, secretsdump).
- Okta/Azure AD abuse and cross-tenant impersonation enabled persistence and broader access; external IdP activation and impersonation attempts were detected.
- On-prem tools and persistence mechanisms (RMM, Ngrok, PDQConnectAgent, ScreenConnect, fleet.io, rsocx) facilitated lateral movement and data exfiltration via 144.76.136.153 and transfer.sh, with LastPass vault access attempts observed.
MITRE Techniques
- [T1566] Phishing – social-engineering to elicit credentials. “social-engineering attack, in which the user’s credentials were reset by the attackers.”
- [T1078] Valid Accounts – gained access to an IT administrator’s account, via Okta single sign-on (SSO). “The intrusion began in the customer’s cloud environment, where the group gained access to an IT administrator’s account, via Okta single sign-on (SSO).”
- [T1110] Brute Force – MFA fatigue attack, attempting four MFA challenges within two minutes. “MFA fatigue attack, attempting four MFA challenges within two minutes. The last challenge resulted in successful authentication.”
- [T1021.001] Remote Services – RDP for lateral movement. “Between these events, we observed the use of RDP for lateral movement to additional hosts.”
- [T1087] Account Discovery – Active Directory (AD) discovery via AD Explorer. “AD Explorer from the Sysinternals website and executed it.”
- [T1003] Credential Dumping – Credential access via tools such as gosecretsdump_win_v0.3.1.exe. “gosecretsdump_win_v0.3.1.exe (credential access).”
- [T1567] Exfiltration – Exfiltration observed via the IP 144.76.136.153 and the domain transfer.sh. “Exfiltration was observed via the IP address 144.76.136[.]153… transfer.sh is associated with this IP address.”
Indicators of Compromise
- [IP] 99.25.84.9 – new device sign-in observed during MFA fatigue attack
- [IP] 144.76.136.153 – exfiltration IP tied to transfer.sh
- [Domain] transfer.sh – exfiltration domain associated with the IP
- [Domain] lastpass.com – attempted access after LastPass page redirects
- [URL] customer.s3.us-east-1.amazonaws.com/lastpass_export%20cleaned.xlsx?X-Amz-Security-Token=[REDACTED] – file downloaded from AWS S3 bucket on VDI
- [Domain] customer.kerberos.okta.com – Okta delegated authentication attempts
- [Domain] customer-admin.okta.com – Okta admin settings access attempts
- [Domain] oinmanager.okta.com – IdP management activity
- [Domain] GenericCitrixAPPServer.customer.com – Citrix VDI server involved in activity
- [File] ADExplorer.exe – downloaded and used for AD discovery
- [File] MobaXterm_Portable_v23.2.zip – used for lateral movement
- [File] WindowsDefenderATPOffboardingPackage_valid_until_2023-XX-XX.zip – defense evasion
- [File] sysadminanywhere.exe – credential/tool access
- [File] gosecretsdump_win_v0.3.1.exe – credential access
- [File] Forensia.exe – defense evasion
- [File] BleachBit.exe – defense evasion
- [Tool] Ngrok – Ngrok tokens or keys observed (token hosted on paste.ee)
- [URL] paste.ee – hosting location for Ngrok tokens
- [Tool] PDQConnectAgent; ScreenConnect; fleet.io; rsocx – persistence/remote access tools
Read more: https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/