By Trellix · August 17, 2023
This story was also written by Phelix Oluoch
Executive Summary
Scattered Spider, also referred to as UNC3944, Scatter Swine, and Muddled Libra, is a financially motivated threat actor group that has been active since May 2022. Scattered Spider has largely been observed targeting telecommunications and Business Process Outsourcing (BPO) organizations. However, recent activity indicates that this group has started targeting other sectors, including critical infrastructure organizations.
Despite this change in targets, Scattered Spider continues to leverage a variety of social engineering tactics, including Telegram and SMS phishing, SIM swapping, MFA fatigue, and other tactics as part of their attacks. This group has often been observed impersonating IT personnel to convince individuals to share their credentials or grant remote access to their computers, has been linked to several past phishing campaigns and deployments of malicious kernel drivers – including the use of a signed but malicious version of the Windows Intel Ethernet diagnostics driver.
This blog takes a deep dive into the modus operandi of Scattered Spider; the recent events and tools leveraged by the threat actor, vulnerabilities exploited, and their impact. Additionally, the MITRE ATT&CK Techniques/Sub-Techniques and their mitigations. Finally, the known associated indicators of compromise that can be used to implement detection, prevention, and response strategies.
Recent Events
Scattered Spider typically exploits vulnerabilities such as CVE-2015-2291 and utilize tools like STONESTOP and POORTRY to terminate security software and evade detection.1 The group demonstrates a deep understanding of the Azure environment and leverages built-in tools for their attacks.2 Once initial access has been gained, Scattered Spider has been observed conducting reconnaissance of various environments, including Windows, Linux, Google Workspace, Azure Active Directory, Microsoft 365, and AWS, as well as conducting lateral movement and downloading additional tools to exfiltrate VPN and MFA enrollment data in select cases. The group has also been known to establish persistence through legitimate remote access tools such as AnyDesk, LogMeIn, and ConnectWise Control.3
By January 2023, Scattered Spider was involved in more than half a dozen incidents from mid-2022 where large outsourcing firms serving high-value cryptocurrency institutions and individuals were targeted.4
In December 2022, Scattered Spider conducted campaigns targeting telecom and BPO organizations.5 The objective of the campaign appeared to be to gain access to mobile carrier networks and, as evidenced in two investigations, perform SIM swapping activity. Initial access was varied: Social engineering using phone calls and text messages to impersonate IT personnel, and either directing victims to a credential harvesting site or directing victims to run commercial Remote Monitoring and Management (RMM) tools. The campaigns were extremely persistent and brazen. Once the adversary was contained or operations are disrupted, they immediately moved to target other organizations within the telecom and BPO sectors.6
In the same month, their use of attestation signing to sign malware was discovered.7 Microsoft disclosed the steps they took to implement blocking protections and suspend accounts that were used to publish malicious drivers that were certified by its Windows Hardware Developer Program. The problem was initiated after Microsoft was notified of rogue drivers being used in post-exploitation efforts, including deploying ransomware.8
In August 2022, Twilio identified unauthorized access to information related to 163 Twilio customers, including Okta. Mobile phone numbers and associated SMS messages containing one-time passwords were accessible to Scattered Spider via the Twilio console. The phishing kit used by the threat actor was designed to capture usernames, passwords, and OTP factors and targeted technology companies, telecommunications providers and organizations and individuals linked to cryptocurrency.9
Tools
Scattered Spider uses POORTRY and STONESTOP to terminate security software and evade detection.10
- POORTRY is a malicious driver used to terminate selected processes on Windows systems, e.g., Endpoint Detection and Response (EDR) agent on an endpoint.11 To evade detection, attackers have signed POORTRY driver with a Microsoft Windows Hardware Compatibility Authenticode signature.12
- STONESTOP is a Windows userland utility that attempts to terminate processes by creating and loading a malicious driver.13 It functions as both a loader/installer for POORTRY, as well as an orchestrator to instruct the driver with what actions to perform.14
In April 2023, ALPHV (BlackCat) ransomware group used an updated version of POORTRY to compromise the US payments giant NCR, leading to an outage on its Aloha point of sale platform.15, 16
Vulnerability Exploits
Scattered Spider is known to exploit CVE-2015-2291 which is a vulnerability in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys) that allows local users to cause a denial of service or possibly execute arbitrary code with kernel privileges via a crafted (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, or (d) 0x80862007 IOCTL call.17 Scattered Spider exploited CVE-2015-2291 to deploy a malicious kernel driver in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).18
Additionally, Scattered Spider has exploited CVE-2021-35464 which is a flaw in the ForgeRock AM server. ForgeRock AM server versions before 7.0 have a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier.19 Scattered Spider exploited CVE-2021-35464 to run code and elevate their privileges over the Apache Tomcat user on an AWS instance. This was achieved by requesting and assuming the permissions of an instance role using a compromised AWS token.20
Impact
Scattered Spider is known for theft of sensitive data and leveraging trusted organizational infrastructure for follow-on attacks on downstream customers.21
Trellix Product Coverage
Trellix Endpoint, Network, and Email Security offers a multi-layered detection strategy for Scattered Spider activities including checks on the IOCs and behavioral analysis to ensure that any potential threat is discovered and stopped from doing harm to our customers. To stay ahead of new and evolving threats, our products continuously monitor and update their threat intelligence databases. That includes the Trellix Multi-Vector Virtual Execution Engine, a new anti-malware core engine, machine-learning behavior classification and AI correlation engines, real-time threat intelligence from the Trellix Global Threat Intelligence (GTI) and Dynamic Threat Intelligence (DTI) Cloud, and defenses across the entire attack lifecycle to keep your organization safer and more resilient.
Trellix Protection
Product
Signature
Endpoint Security (ENS)
LINUX/Agent.bj
FireEye Scanner
Trojan.Linux.Generic.289912
MITRE ATT&CK Techniques/Sub Techniques
MITRE ATT&CK ENTERPRISE
INITIAL ACCESS |
EXECUTION |
PERSISTENSE |
PRIVILEGE ESCALATION |
DEFENCE EVASION |
CREDENTIAL ACCESS |
LATERAL MOVEMENT |
COLLECTION |
EXFILTRATION |
IMPACT |
T1566: Phishing |
T1053: Scheduled Task/Job |
T1053: Scheduled Task/Job |
T1068: Exploitation for Privilege Escalation |
T1036: Masquerading |
T1056: Input Capture |
T1021.001: Remote Services: Remote Desktop Protocol |
T1056: Input Capture |
T1041: Exfiltration Over C2 Channel |
T1496: Resource Hijacking |
T1133: External Remote Services |
T1059: Command and Scripting Interpreter |
T1133: External Remote Services |
T1134.001: Access Token Manipulation: Token Impersonation/Theft |
T1553.002: Subvert Trust Controls: Code Signing |
T1210: Exploitation of Remote Services |
T1115: Clipboard Data |
|||
T1190: Exploit Public-Facing Application |
T1106: Native API |
T1176: Browser Extensions |
T1053: Scheduled Task/Job |
T1134.001: Access Token Manipulation: Token Impersonation/Theft |
|||||
T1195.002: Compromise Software Supply Chain |
T1140: Deobfuscate/Decode Files or Information |
||||||||
T1564: Hide Artifacts |
MITRE ATT&CK MOBILE
COLLECTION
NETWORK EFFECTS
T1616: Call Control
T1451: Sim Card Swap
Mitigations
- M1051: Update software:
Update software regularly by employing patch management for internal enterprise endpoints and servers to mitigate exploitation risk.22 - M1017: User training.
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spear phishing, social engineering, and other techniques that involve user interaction.23 - M1011: User Guidance:
Users should be instructed to use forms of multifactor authentication not subject to being intercepted by a SIM card swap, where possible. More secure methods include application-based one-time passcodes (such as Google Authenticator), hardware tokens, and biometrics. Additionally, users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.25 - M1049: Antivirus/Antimalware
Anti-virus can be used to automatically quarantine suspicious files.26 - M1040: Behavior Prevention on Endpoint
Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures).27 - M1045: Code Signing
Require signed binaries28 and enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.29 - M1038: Execution Prevention
- Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.30 Additionally, consider blocking the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Validate driver block rules in audit mode to ensure stability prior to production deployment.31
- M1021: Restrict Web-Based Content
Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc.32 - M1022: Restrict File and Directory Permissions
Use file system access controls to protect folders such as C:WindowsSystem32.33 - M1042: Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.34 - M1048: Application Isolation and Sandboxing
- Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualizations and application micro segmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.35
- M1031: Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.36 - M1032: Multi-factor Authentication
Security applications that look for behavior used during exploitation can be used to mitigate some exploitation behavior. Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring.37 - M1050: Exploit Protection
Use intrusion detection signatures to block traffic at network boundaries.38 - M1019: Threat Intelligence Program
Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.39 - M1026: Privileged Account Management
Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object.40 Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.41 - M1018: User Account Management
Restrict users and accounts to the least privileges they require. An adversary must already have administrator level access on the local system to make full use of this technique.42 - 18. M1047: Audit
Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. 43 - M1028: Operating System Configuration
Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM . The associated Registry key is located at HKLMSYSTEMCurrentControlSetControlLsaSubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled.44 - M1035: Limit Access to Resource Over Network
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.45 - M1030: Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.46 - M1033: Limit Software Installation
Block users or groups from installing unapproved software.47 - M1016: Vulnerability Scanning
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.48 - M0810: Out-of-Band Communications Channel
Have alternative methods to support communication requirements during communication failures and data integrity attacks.49 - M1057: Data Loss Prevention
Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.50
IOCs
IPV4
IPV4
Description
100.35.70.106
Adversary remote access
104.247.82.11
Adversary remote access
105.101.56.49
Adversary remote access
105.158.12.236
Adversary remote access
119.93.5.239
Adversary remote access
134.209.48.68
Adversary remote access
136.144.19.51
Adversary MFA registration
136.144.43.81
Adversary remote access
137.220.61.53
Adversary remote access
138.68.27.0
Adversary remote access
141.94.177.172
Adversary remote access
142.93.229.86
Adversary remote access
143.244.214.243
Adversary remote access
144.76.136.153
IP associated with transfer.sh used for data exfil
146.190.44.66
Adversary remote access
146.70.103.228
Adversary MFA registration
146.70.107.71
Adversary remote access
146.70.112.126
Adversary remote access
146.70.127.42
Adversary MFA registration
146.70.45.166
Adversary remote access
146.70.45.182
Adversary remote access
149.28.125.96
Adversary remote access
152.89.196.111
Adversary remote access
157.245.4.113
Adversary remote access
159.223.208.47
Adversary remote access
159.223.213.174
Adversary remote access
159.223.238.0
Adversary remote access
162.118.200.173
Adversary remote access
162.19.135.215
Adversary remote access
164.92.234.104
Adversary remote access
165.22.201.77
Adversary remote access
165.22.201.77
Adversary remote access
165.22.201.77
Adversary remote access
167.99.221.10
Adversary remote access
169.150.203.51
Adversary remote access
172.96.11.245
Adversary remote access
172.98.33.195
Adversary remote access
173.239.204.129
Adversary MFA registration
173.239.204.130
Adversary remote access
173.239.204.131
Adversary MFA registration
173.239.204.132
Adversary remote access
173.239.204.133
Adversary remote access
173.239.204.134
Adversary remote access
180.190.113.87
Failed adversary login
185.120.144.101
Adversary remote access
185.123.143.197
Adversary remote access
185.123.143.201
Adversary remote access
185.123.143.205
Adversary remote access
185.123.143.217
Adversary remote access
185.156.46.141
Adversary remote access
185.181.102.18
Adversary remote access
185.195.19.206
Adversary remote access
185.195.19.207
Adversary remote access
185.202.220.239
Adversary remote access
185.202.220.65
Adversary remote access
185.240.244.3
Registered authenticator app and adversary VPN logins
185.243.218.41
Adversary remote access
185.247.70.229
Adversary remote access
185.45.15.217
Adversary remote access
185.56.80.28
Adversary remote access
185.56.80.28
Adversary remote access
188.166.101.65
Reverse SSH tunnel
188.166.117.31
Adversary remote access
188.166.92.55
Adversary remote access
188.214.129.7
Adversary remote access
192.166.244.248
Adversary remote access
193.149.129.177
Adversary remote access
193.27.13.184
Adversary remote access
193.37.255.114
Adversary remote access
194.37.96.188
Adversary remote access
195.206.105.118
Adversary remote access
195.206.107.147
Adversary remote access
198.44.136.180
Azure MFA registration
198.54.133.45
Adversary remote access
198.54.133.52
Adversary remote access
207.148.0.54
Adversary remote access
213.226.123.104
Adversary remote access
217.138.198.196
Adversary remote access
217.138.222.94
Adversary remote access
23.106.248.251
Adversary remote access
31.222.238.70
Adversary remote access
35.175.153.217
Adversary remote access
35.175.153.217
Adversary remote access
37.19.200.142
Adversary remote access
37.19.200.151
Adversary remote access
37.19.200.155
Adversary remote access
45.132.227.211
Adversary remote access
45.132.227.213
Adversary remote access
45.134.140.171
Adversary IP used to download documents from victim SharePoint
45.134.140.177
Adversary remote access
45.156.85.140
Adversary remote access
45.156.85.140
Adversary remote access
45.32.221.250
Adversary remote access
45.86.200.81
Adversary remote access
45.91.21.61
Adversary remote access
5.182.37.59
Adversary remote access
51.210.161.12
Adversary remote access
51.89.138.221
Adversary MFA registration
62.182.98.170
Adversary remote access
64.190.113.28
Adversary remote access
64.227.30.114
Adversary remote access
67.43.235.122
Adversary remote access
68.235.43.20
Adversary remote access
68.235.43.21
Adversary remote access
68.235.43.38
Failed adversary login activity
79.137.196.160
Adversary remote access
82.180.146.31
Failed adversary login activity
83.97.20.88
Adversary remote access
89.46.114.164
Failed adversary login activity
89.46.114.66
Adversary remote access
91.242.237.100
Adversary remote access
92.99.114.231
Adversary remote access
93.115.7.238
Adversary remote access
98.100.141.70
Adversary remote access
IPV6
IPV6
Description
2a01:4f8:200:1097::2
IPv6 associated with transfer.sh used for data exfiltration
CIDR
CIDR
Description
2a01:4f8:200:1097::2
IPv6 associated with transfer.sh used for data exfiltration
SHA256
SHA256
File Name
Description
N/A
change.m31!!!
Password used by adversary extensively
3ea2d190879c8933363b222c686009b81ba8af9eb6ae3696d2f420e187467f08
<redacted>.exe
Packed Fleet Deck binary
cce5e2ccb9836e780c6aa075ef8c0aeb8fec61f21bbef9e01bdee025d2892005
IIatZ
Backconnect TCP malware used to read and execute shellcode from C2, executed via OpenAM exploit
acadf15ec363fe3cc373091cbe879e64f935139363a8e8df18fd9e59317cc918
insomnia.exe
API debugging utility
N/A
linpeas.log
LINPeas Local Privilege Escalation Enumeration tool output log
N/A
linpeas.sh
LINPeas Local Privilege Escalation Enumeration tool
982dda5eec52dd54ff6b0b04fd9ba8f4c566534b78f6a46dada624af0316044e
lockhuntersetup_3-4-3.exe
File unlocking tool (for deletion of locked files)
443dc750c35afc136bfea6db9b5ccbdb6adb63d3585533c0cf55271eddf29f58
mpbec
“Midgetpack” packed binary used to establish connections to 67.43.235.122 on ports 4444 and 8888
References
1https://www.bleepingcomputer.com/news/security/malicious-windows-kernel-drivers-used-in-blackcat-ransomware-attacks/
2https://www.bleepingcomputer.com/news/security/hackers-use-azure-serial-console-for-stealthy-access-to-vms/
3https://occamsec.com/scattered-spider-iocs/
4https://unit42.paloaltonetworks.com/muddled-libra/
5https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
5https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
7https://thehackernews.com/2022/12/ransomware-attackers-use-microsoft.html
8https://msrc.microsoft.com/update-guide/vulnerability/ADV220005
9https://sec.okta.com/scatterswine
https://www.bleepingcomputer.com/news/security/malicious-windows-kernel-drivers-used-in-blackcat-ransomware-attacks/
10https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
11https://www.bleepingcomputer.com/news/microsoft/microsoft-signed-malicious-windows-drivers-used-in-ransomware-attacks/
12https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
13https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/
14https://securityaffairs.com/146536/malware/blackcat-ransomware-uses-kernel-driver.html
15https://status.aloha.ncr.com/incidents/cnl38krr6n6b
16https://nvd.nist.gov/vuln/detail/CVE-2015-2291
17https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/
18https://nvd.nist.gov/vuln/detail/CVE-2021-35464
19https://www.sisainfosec.com/threat-a-licious/scattered-spider-a-sophisticated-threat-actor-that-can-reverse-defense-mitigation/#:~:text=Scattered%20Spider%2C%20a%20financially%20motivated,sites%2C%20and%20employing%20MFA%20fatigue.
20https://unit42.paloaltonetworks.com/muddled-libra/
21https://attack.mitre.org/mitigations/M1051/
22https://attack.mitre.org/mitigations/M1017/
23https://cyber-kill-chain.ch/mitigations/M1011/
24https://attack.mitre.org/mitigations/M1011/
25https://attack.mitre.org/mitigations/M1049/
26https://attack.mitre.org/mitigations/M1040/
27https://attack.mitre.org/mitigations/M1045/
28https://attack.mitre.org/mitigations/M0945/
29https://attack.mitre.org/mitigations/M1038/
31https://attack.mitre.org/mitigations/M1038/
32https://attack.mitre.org/mitigations/M1021/
33https://attack.mitre.org/mitigations/M1022/
34https://attack.mitre.org/mitigations/M1042/
35https://attack.mitre.org/mitigations/M1048/
36https://attack.mitre.org/mitigations/M1031/
37https://attack.mitre.org/mitigations/M1032/
38https://attack.mitre.org/mitigations/M1050/
39https://attack.mitre.org/mitigations/M1019/
40https://attack.mitre.org/techniques/T1134/
41https://attack.mitre.org/mitigations/M1026/
42https://attack.mitre.org/mitigations/M1018/
43https://attack.mitre.org/mitigations/M1047/
44https://attack.mitre.org/mitigations/M1028/
45https://attack.mitre.org/mitigations/M1035/
46https://attack.mitre.org/mitigations/M1030/
47https://attack.mitre.org/mitigations/M1033/
48https://attack.mitre.org/mitigations/M1016/
49https://attack.mitre.org/mitigations/M0810/
50https://attack.mitre.org/mitigations/M1057/