BitsnBytes Fall2023

November 2022 October 2022 September 2022 June 2022 Bits & bytes Fall 2023 5 Intrusion 3 Initial Access: CVE-2021 -35464 to exploit a ForgeRock OpenAM application server Persistence: AWS key theft, IAM manipulation Target: Gain access to mobile carrier networks Intrusion 4 Initial Access: Telegram message impersonating as IT to harvest credentials Persistence: Single factor VPN access, commercial remote access utilities Target: Gain access to mobile carrier network Intrusion 5 Initial Access: Phone calls impersonating as IT to induce customer services staff to run commercial remote access tools (ZohoAssist & GetScreen) Persistence: RattyRat Trojan, commercial remote access utilities Target: Gain access to mobile carrier networks and SIM card information Intrusion 2 Initial Access: Azure access using stolen credentials; unknown how credentials were initially compromised Persistence: Compromised credential using w/single factor VPN, commercial remote access utilities Target: Gain access to mobile carrier networks Challenges Faced by Security Experts MFA Fatigue and Overwhelming Speed: The group employs tactics like MFA fatigue, bombarding victims with identity confirmation alerts until they comply. Motivations beyond Finance: Contrary to typical cybercriminal motives, Scattered Spider’s actions seem geared more toward power, influence, and notoriety than monetary gain, which requires more complex response strategies than traditional tactics. Intimidation Tactics: Scattered Spider employs tactics beyond typical cyber intrusions, such as leaving threatening messages on the victim organization’s system, contacting staff through various channels, and even resorting to SWATing—fake emergency calls to executives’ homes. Elusive Identity: Scattered Spider’s location and identity remain unknown, but based on criminals’ chats with victims and clues from CrowdStrike’s breach investigations, Meyers said they mainly consist of 17- to 22-year-olds from Western countries. To read the full article, click the button below. One instance is Scattered Spider’s attack on telecommunications industries such as Telco and BPO, with financially motivated campaign attacks since June 2022, according to CrowdStrike. Below is a summary timeline outlining a sampling of intrusions to which CrowdStrike Services responded. To read more about CrowdStrike’s investigation of Scattered Spider’s campaign targeting Telco and BPO companies, click here. Intrusion 1 Initial Access: Phone calls impersonating as IT to harvest credentials Persistence: Citrix access using adversary system, VPN using adversary registered MFA device, commercial remote access utilities Target: Gain access to mobile carrier networks and SIM card information Reuters CrowdStrike