Episode 7 - Defending Against Scattered Spider: Understanding Their Tactics, Techniques, and Procedures

Show Notes

In todays episode of TLP - Traffic Light Protocol, Clint Marsden talks about Defending Against Scattered Spider: Understanding Their Tactics, Techniques, and Procedures.

Key Takeaways

 Understanding Scattered Spider: Scattered Spider, also known as Roasted Octopus or Octo Tempest, utilizes various legitimate tools for malicious purposes.

 Common Tools and Techniques: They employ tools for reconnaissance (PingCastle, ADRecon), credential dumping (Mimikatz, Lazagne), Remote access (Screen Connect, Team Viewer), and VPN (Tailscale).

Social Engineering Tactics: Their methods include impersonation, MFA fatigue (MFA bombing), and SIM swapping to gain access.

Persistence Mechanisms: They maintain access through methods like automatic account linking and adding additional MFA tokens 

Defense Strategies: Implement strong identity verification, monitor for unusual activity, and educate users social engineering & smishing

Quotes

"By understanding their tactics, techniques, and procedures, or TTPs, you can better defend your network and improve its security posture."
 "There's a lot of push on recognizing phishing emails and hovering over links and verifying the sender, but not enough focus on social engineering training for staff"

Action Points

Review Service Desk Processes: Ensure robust identity verification to prevent social engineering.
Monitor for Unusual Activity: Regularly audit and set up automated alerts for suspicious MFA changes or logins.
Educate Users: Conduct training on recognizing phishing and social engineering techniques.
Test Tools in a Lab: Use the mentioned tools to simulate attacks and improve defensive measures by analyzing security logs and infrastructure.

Mentioned Resources

Remote monitoring and management or RMM tools

Fleetdeck.io
Level.io
Ngrok Mitre Ref: [S0508]   
Screenconnect  
Splashtop
Teamviewer      
Pulseway
Tactical RMM

Reconnaissance:

PingCastle - https://www.pingcastle.com/
ADRecon - https://github.com/sense-of-security/ADRecon
Advanced IP Scanner - https://www.advanced-ip-scanner.com/
Govmomi - https://github.com/vmware/govmomi

Cred dumpers:

Mimikatz - https://github.com/ParrotSec/mimikatz
Hekatomb - https://github.com/ProcessusT/HEKATOMB
Lazagne - https://github.com/AlessandroZ/LaZagne
gosecretsdump - https://github.com/C-Sto/gosecretsdump
smbpasswd.py - (as part of Impacket) - https://github.com/fortra/impacket/blob/master/examples/smbpasswd.py
LinPEAS - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS
ADFSDump - https://github.com/mandiant/ADFSDump 

VPN:

Tailscale -   Provides virtual private networks (VPNs) to secure network communications





 

Transcript

Welcome to today's episode of TLP, the Digital Forensics Podcast. I'm your host, Clint Marsden. Today, we're going full immersion into the TTPs of the notorious threat group, known by some as Roasted Octopus, Octo Tempest, or Storm 0875. 

You might also recognize them better as Scattered Spider. In this episode, we'll explore how they gain initial access and set up persistence within your environment. This episode is highly technical, so if you've got the opportunity to follow along, I recommend checking out the show notes for links or just googling the terms as I mention them. 

The show notes also include links to the tools and techniques that I discuss, and that allows you to conduct your own tests in a lab and see what log entries that they generate. This collaborative approach of running things in a lab and sharing it with the community is how our Blue Team community grows stronger by sharing and testing our findings. Recently, one of the alleged leaders of Scattered Spider was arrested.

Does this mean that their attacks will stop? We don't really know. However, by understanding their tactics, techniques, and procedures, or TTPs, you can better defend your network and improve its security posture. Let's dive right into this episode. 

First, let's discuss the legitimate tools that Scattered Spider has repurposed for their campaigns. These tools fall into several categories. Reconnaissance, Credential Dumping, Remote Access, and VPN. 

Remote Monitoring and Management tools. The tools that Scattered Spider use in the RMM tool set include Fleekdeck.io, Level.io, ngrok, Screen Connect, Splashtop, Team Viewer, Pulseway, and Tactical RMM. Now, all of these tools essentially do the same thing, just in a different way. 

They allow the desktop to be viewed, they allow full remote control, they generally have some kind of centralized console where all the machines that they're controlling or have access to are listed, and they can simply click on that host name, and then they can get a preview of the desktop, sometimes upload and download files as well. For reconnaissance tools, they use PingCastle, ADRecon, Advanced IP Scanner, and GovMOMI. For their credential dumpers, they use Mimikatz, Hikatum, Lasagna, GoSecretsDump, smvpassword.py, which is part of Impacket, linps, and ADFSdump. 

The VPN tool that they're using is Tailscale. So Scattered Spider has been known to employ various social engineering techniques to gain initial access, and here are some of their common tactics. First up, impersonation. 

To do this, they will pose as company IT or help desk staff using phone calls or SMS messages, and they will then use that to obtain credentials from employees. MFA fatigue. Once they've got the password, they'll send repeated MFA notification prompts until the employee accepts. 

This is also known as MFA bombing. In the case of Scattered Spider, there was a particular instance where they sent out about 74 authentication requests all at once to employees across the same organization. One of their key tactics has been SIM swapping, and they will convince mobile carriers to transfer control of a target's phone number to a SIM card that they control, which then gives them access to MFA prompts.

They'll frequently do this by pretending that they've lost their phone and need to transfer the number, or use a different set of social engineering techniques. One of the ways that you can get past the attack of SIM swapping is to register your account when you're setting up MFA to bind it to a mobile phone using your one-time password MFA app. Something like GeoAuthenticator from Google. 

You've got other apps like OktaVerify, which is if your company has Okta installed as well, and basically the only time that that's going to be a problem is if the device is lost, stolen, or if it's physically dead. Now the other side of this is that you can get one-time password backup codes, and the idea is that you would use these in an emergency, and when those codes are generated there might be 20 or so, and they will be put into a safe, and then if you lose your phone, well you can still get into your services. If you don't have the option to generate those codes, you'll also have an option to recognize or to implement another factor, which is an email account, and that is the other MFA option that you have. 

In the same way, you want to make sure that you've also got MFA enabled on the email account that you've got too, so that if they get your work or your corporate password, and then they go to set up MFA, or they are prompted for MFA, they've also got your email password which was used for MFA. I know this sounds like we're going around in a bit of a circle. If your email account, that's your personal account, is used as your second factor, and you've used the same password for your corporate email as your personal email, you can see where this is going. 

This is a big problem. You'll also need to make sure that you have another factor on your personal email, whether that's a YubiKey, whether that's GeAuthenticator, whatever it is. Again, if we're talking about this use case of if you've lost your phone or it's destroyed, this is not going to be an option, but you will need a second factor on your personal email as well, if that is your backup factor for your corporate email.

What Scattered Spy to do, as many threat actors are known to do, is to set up some form of persistence. To get persistent access once they have already performed this compromise, say that they have obtained your password from Big Data Breach. If we talk about the scenario, they've gained access to your account, they've obtained your password, and now they are needing to set up MFA to ensure persistence. 

They might do something like socially engineer the help desk. They might perform that SIM swapping attack. Now that they're in, they need to set up persistent access. 

The way that they're going to do that is leveraging a federated identity provider to activate automatic account linking. Now, if you ask what is automatic account linking, a great example is when you go to sign into a new service or you're going to sign up to a new service, and they say, sign in with Google, sign in with Facebook. This is an example of automatic account linking taking place, so that the next time you go to sign in, you just use that same email address. 

In the back end, that account relationship has already been set up, and you're in, and that won't be an issue again. This is a problem because once that automatic account linking is set up, what can happen is that even once the password is reset, access is still maintained. That's that persistence. 

So it's not just suitable to reset someone's password after a compromise anymore. We also must log in to that SSO identity provider and make sure that a secondary factor that is automatic account linking has not been set up, and it is probably a good idea to reset the MFA token. There's generally a button that you'll be able to click to end all sessions. 

This should be rolled into the whole process. So if we talk about what to do when an account compromise is occurring, we want to make sure that the password is reset, all the sessions are expired, regenerate any backup codes, and make sure that there's no additional factors in that account that are unaccounted for. But dialing back from this, where does it even begin? And you can go to one step further, and we can implement things like using a smart card or a YubiKey. 

We can continue to push that agenda of getting users to recognize suspicious emails, phishing sites, and social engineering techniques. There's a lot of push on recognizing phishing emails and hovering over links and verifying the sender. Now that doesn't always work because with some of us, so much of us being on our phones these days, and the way that iOS in particular presents an email, it's not always convenient. 

It takes a little extra step to actually see who's sending an email. In the past, there's been a case where I was doing some phishing for work and relied upon that fact that the email address was not necessarily visible on the iPhone and was actually successful in getting the target to click the link and off we go. So with the push for phishing education, what are we doing in social engineering education? Deep fakes are more prevalent than ever before.

There was the case of a multi-million dollar transfer to a threat actor by someone in a finance team overseas just a few months ago, and they were tricked on a Zoom call where they had fake video feeds of other executives in the team, and it all looked legitimate. So as the technology is improving, the deep fakes are getting better, the social engineering techniques are getting better, we need to be educating our staff not just on phishing links but also social engineering tactics. There's also monitoring that we can do in the back end at an identity provider level to start looking for things that are weird, like when a multi-factor authentication token is changed, when additional factors are added, and then doing a bit of correlation and starting to see where is that occurring from. 

Is it occurring from overseas? Do we do business in that country? Is the user expected to be traveling to that country? Now I can see that in the next 6 to 12 months this will become a lot more prevalent and we've already started to hear reports about it where threat actors are using proxy boxes in the country of the victim, essentially. So when the SecOps team are looking at logs, we're going through and we go, oh, login from Australia, yep, okay, and then our buyers just go, oh, well, it's a login from Australia so it's fine. We're going to have to start thinking a little bit broader than that and actually looking at, right, does this fall within the, I guess we'll call it the pattern of life? Is the IP address that's being logged into, is this common? Is it the ISP? So starting to think a little bit outside the box in terms of monitoring and this is something that's going to need to be set up at an automatic level or as part of regular threat hunts and depending on how big the team is, you might be lucky, you might not be. 

What my point is there, threat hunts are great, but you'd have to be doing a threat hunt at the exact time that the incident is occurring, whereas if we've got an automated alert, then you're going to know straight away when multi-factor credentials are being changed. There's also some belt and braces type things where you can restrict access from people logging in from places like Tor or anonymizing proxies as well. So how does the scattered spider intrusion go from end to end? They start with a very broad phishing and smishing campaign and smishing is SMS-based phishing, it doesn't have all the bells and whistles, obviously it's very short. 

Scattered spider have been known to register domains with the company's name inside the fake domain or they've used the MFA provider in the domain name as well and that adds a little bit more of the legitimacy to getting that across the line, getting the users to click because they see that company name, it's familiar, they don't make the association and then they click on that link. If you do respond to this smish, they then may conduct a SIM swapping attack and then use social engineering to gather some more personal information and with that information they then target the company's IT help desk to reset the passwords, MFA tokens and then add additional MFA factors in as well. So how can we defend against this type of attack? Well to defend against these tactics you can consider the following measures. 

You can review and tighten your service desk processes for password resets. You can ensure that identity verification processes are robust and resistant to social engineering. You can also regularly audit and monitor for unusual activity or unauthorized MFA registrations like I was talking about before, setting up that automation so that the SecOps team receive an alert when an incident of that type occurs.

When someone is resetting their MFA credentials, is it out of character for them? So to recap today's episode, defending against scattered spider and other threat actors does require a layered approach and it involves good security architecture, MFA, user training, well-practiced procedures for the cyber team and continuous monitoring and by understanding these tools and techniques of threat actors, you can better prepare for that inevitable breach. Don't forget to check all the show notes for all the links and resources that I've mentioned in today's episode. Testing these tools in a lab environment will give you valuable insights into how they operate and how you can defend against them. 

You can do things like running these tools and then examining your security logs and security infrastructure to see how that presents and over time you can build that baseline, build up some cheat sheets, share that with the team and then everyone knows what to expect. You can start to see what is normal, what is not normal, get some particular log entries, some particular event IDs and when an incident does occur, you pull those out and they are the first things that you look for. Look through those logs using the lens of are we being attacked by a threat group that follows these particular TTPs and it is a much quicker way to identify whether you are under a particular attack from a particular threat group. 

Well, that's all for today's episode. Thank you for listening. I'm your host Clint Marsden and I'll see you next week.