In September, I highlighted SMS phishing (smishing) attacks which appear to have used telco data as a key element in attacking further systems. At the beginning of December, CrowdStrike published a review of a different, persistent intrusion campaign called ‘Scattered Spider’ that targets telecommunications and business process outsourcing (BPO) companies.
CrowdStrike noted an increased targeting of telco and BPO industries by Scattered Spider since June 2022. Their investigations describe a financially-motivated campaign to gain and maintain access, and evade detection and response. In particular, the attackers are extremely persistent in trying to gain access to victim environments. When successful, the attackers typically engage with the victim’s systems every day. CrowdStrike says victims must respond swiftly otherwise the attackers set up additional persistence mechanisms and/or re-enable accounts previously disabled by the victim. In all observed intrusions, the attackers attempted access to mobile carrier networks from a telco or BPO environment, and in two investigations, utilised SIM swapping.
In most of CrowdStrike’s investigations, initial access was via social engineering, using leveraged phone calls, SMS and/or Telegram to impersonate IT staff. The attackers used two methods:
- directing victim users to a fake company website, or
- instructing them to download a remote monitoring and management (RMM) tool that would allow remote control their system.
If multi-factor authentication (MFA) was enabled, the attacker would try to persuade the victim user to share their one-time password. If this didn’t work, they tried to induce MFA ‘push-notification fatigue’ by continuously sending MFA prompts to the victim user until they accept the MFA push challenge.
In one case, the attacker used compromised credentials from a victim user to access the organisation’s Azure system and stole user credentials which were then used to access further systems. Another tactic was to use CVE-2021-35464, which allows remote code execution, to exploit an application server. This is disappointing, as a patch for this vulnerability was released in October 2021.
CrowdStrike observed that in many cases, the attackers accessed the organisation’s MFA console to add their own devices as trusted MFA devices of already compromised users. This allowed the attackers to maintain a deep level of persistence without using a remote access trojan.
The attackers used a wide variety of legitimate RMM tools to maintain persistent access. This was effective because they are common, genuine tools, and therefore do not typically generate alerts or blocking by endpoint security software. According to CrowdStrike, the attackers would often deploy multiple RMM tools and would quickly switch between them if the active RMM tool was blocked by responders. In one example, the attackers accessed Azure Active Directory and performed bulk downloads of group members and users, allowing them to identify privileged users. In another, they used an open source tool to create temporary federated credentials for non-existent users issued by identity and access management (IAM) users. This is material, because federated credentials can help disguise which credential is compromised and may enable attackers to switch between different system sessions without MFA challenges.
The attackers operate across Windows, Linux, Google Workspace, AzureAD, M365 and AWS environments. They have also accessed SharePoint and OneDrive environments for reconnaissance information, specifically searching for VPN information, MFA enrollment information, ‘how to’ guides and helpdesk instructions.
CrowdStrike also noted the attackers’ use of a generic DESKTOP-<7 alphanumeric characters> naming pattern when using their own systems to connect to victim VPNs. The attackers also made their intrusions less obvious by replicating the victim organisation’s own naming conventions when creating systems in its virtual desktop environment.
Details, Compromise Indicators and Mitigations
The information in CrowdStrike’s report, available here, includes compromise indicators, the ISPs commonly used by the attackers, and specific advice regarding mitigation and containment. Use it well!