“Scattered Spider” continues to target publicly listed US companies
May 08, 2024
Scattered Spider is a name assigned to a cyber criminal gang who is known to conduct sophisticated phishing campaigns targeting Okta, Microsoft Entra ID or VPN credentials of their target organizations. They go by various aliases 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra.
In November 2023, The Federal Bureau of Investigation (FBI) & Cybersecurity, and Infrastructure Security Agency (CISA) has released a joint Cyber security advisory (CSA) in response to recent activity by Threat Actor named as Scattered Spider against commercial facilities sectors and subsectors. The report can be accessed here: Learn more.
On Feb 29th, Kite Cyber’s Internet Threat Scanner identified a malicious activity that we believe to be associated with the threat actor widely recognised as “Scattered Spider”. Our teams started digging in and identified a large campaign against few publicly listed firms.
The initial domain that triggered our curiosity was: “chartervpn[.]com” and “charter-vpn[.]com” seems to be targeting T-Mobile’s Okta authentication system.
Several other domains were identified by the team using various hunting techniques and internal sensor data lake. The list of domains and respective IP addresses are mentioned in the Indicators of Compromise section at the end of the post.
The domains identified were identified to be created in early April. At the time of writing this post, the domains were unresolvable but that doesn’t mean these domains are not going to be used any further. Below is the screenshot of one such page taken earlier (when the pages were still live).
Key Observations:
- Shift from Vultr: Previously, the threat actor was known to be using Vultr, a hosting provider widely known for flexible administration. Several domains in the CISA advisory were hosted on Vultr. However, it looks like the adversary has now shifted away from this hosting provider onto DigitalOcean and BL Networks.
- Victim Profile: KiteCyber’s Advanced Threat Research (ATR) team has identified T-Mobile (the mobile service provider), Asurion (Mobile phone insurance provider), Bird Rides (Micromobility Company) and Bandwidth (Communication Platform as a Service company) as potential victims. All these potential victims (except Asurion) are publicly listed companies. The respective companies have been notified about the threat proactively. These companies match the victim profile of Scattered Spider who is known to target firms specializing in customer relationship management, tech companies, business process outsourcing firms, etc., in a possible bid to compromise more victims by exploiting the supply chain relationship these firms possess.
Recommendations:
To prevent: Reach out to us at: info@kitecyber.com
To detect and remediate:
a. Block the given URLs and IP addresses at your network security controls such as Proxy, Firewall, IDS/IPS. This will ensure that if any of these URLs are reused by the adversaries, the exploitation will be unsuccessful.
b. Configure multi factor authentication at your Identity provider. This will provide basic protection against credential theft. Although few sophisticated AiTM toolkits (that Scattered Spider is known to have leveraged), can be used to bypass MFA, it provides protection against many other attacks (such as credential spraying/stuffing, etc.)
c. Continuously monitor your organization’s user and service principal authentication logs to detect suspicious activity.
Should you be concerned:
Scattered Spider is well known for targeting top tier idPs like Okta, so if you’re concerned about being phished or unsure about prevention, reach out to us at: info@kitecyber.com
Indicators of Compromise:
Domains:
chartervpn[.]com
singtei[.]net
eclerx-sso[.]com
asurion-idp[.]com
birdsso[.]com
login[.]birdsso[.]com
login[.]x-sso[.]com
x-sso[.]com
login[.]bandwidthsso[.]com
IP Addresses:
10 104[.]248[.]113[.]206
11 134[.]209[.]208[.]248
Interested in learning:
Discover how we can assist you by visiting our product website: User Shield
Know the threat actor:
Scattered Spider: https://www.bleepingcomputer.com/news/security/fbi-shares-tactics-of-notorious-scattered-spider-hacker-collective/#
Octo Tempest (alias for Scattered Spider): https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/