Full Report
In the past year, cross-domain attacks have gained prominence as an emerging tactic among adversaries. These operations exploit weak points across multiple domains – including endpoints, identity systems and cloud environments – so the adversary can infiltrate organizations, move laterally and evade detection. eCrime groups like SCATTERED SPIDER and North Korea-nexus adversaries such as FAMOUS
Analysis Summary
# Tool/Technique: Cross-Domain Attack Tactics (Leveraging Legitimate Identities/Tools)
## Overview
Adversaries are increasingly employing cross-domain attacks, which exploit vulnerabilities across interconnected domains such as endpoints, identity systems, and cloud environments. The core premise of these attacks is leveraging compromised legitimate credentials ("logging in" instead of "breaking in") to gain initial access and then pivoting across these domains to move laterally and escalate privileges while blending in with legitimate activity.
## Technical Details
- Type: Technique
- Platform: Hybrid environments (Endpoints, Identity Providers (e.g., Entra ID, Okta), Cloud Services, SaaS Applications)
- Capabilities: Lateral movement, Privilege Escalation, Evasion by blending with legitimate processes and tools.
- First Seen: Gained prominence over the past year (relative to the article context).
## MITRE ATT&CK Mapping
The tactics described align heavily with initial access, credential access, and defense evasion:
- **TA0001 - Initial Access**
- T1133 - External Remote Services (Implied via remote login using compromised credentials)
- **TA0006 - Credential Access**
- T1110 - Brute Force (Potential precursor, though focus is on *compromised* credentials)
- **TA0005 - Defense Evasion**
- T1036 - Obfuscated Files or Information (Implied by blending with legitimate processes, though not explicitly detailed)
- **TA0008 - Lateral Movement**
- T1021 - Remote Services
## Functionality
### Core Capabilities
- **Credential Exploitation:** Gaining initial access by using compromised, legitimate credentials, allowing adversaries to "log in."
- **Domain Pivoting:** Moving between different security and operational domains (endpoint, identity, cloud) post-infiltration.
- **Evasion:** Leveraging legitimate tools and processes native to the environment to make detection difficult.
### Advanced Features
- **Exploiting Security Gaps:** Targeting the disconnects and blind spots created by security tools that address only fragments of the identity landscape (e.g., gaps between IAM teams and SecOps teams).
- **Hybrid Environment Focus:** Successfully traversing security boundaries in hybrid IT landscapes (on-premises to cloud/SaaS).
## Indicators of Compromise
The article does not list specific file hashes or network indicators related to a single malware variant, as it focuses on a high-level cross-domain TTP.
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not provided]
- Network Indicators: [Not provided (Focus is on using legitimate services/identity protocols)]
- Behavioral Indicators: Anomalous activity following a legitimate login; excessive pivoting between identity stores, endpoint activity, and cloud resource access.
## Associated Threat Actors
- SCATTERED SPIDER (eCrime group)
- FAMOUS CHOLLIMA (North Korea-nexus adversary)
## Detection Methods
Detection relies heavily on unified visibility and behavioral analysis across identity, endpoint, and cloud telemetry.
- Signature-based detection: [Not primary focus]
- Behavioral detection: Crucial for detecting anomalous use of legitimate credentials (e.g., abnormal session scope, access timing, or lateral movement patterns following login).
- YARA rules: [Not provided]
## Mitigation Strategies
The article strongly recommends a unified, comprehensive strategy focused on identity security:
- **Consolidate Security Platforms:** Move from fragmented, disjointed tools to a unified platform that integrates threat detection and response across identity, endpoint, and cloud.
- **Establish Identity Visibility:** Achieve end-to-end visibility across hybrid environments, including on-premises directories, cloud identity providers (Entra ID, Okta), and SaaS applications.
- **Implement Real-Time Protection:** Utilize capabilities like risk-based conditional access and cross-domain behavioral analysis to proactively block identity-driven attacks as they occur.
## Related Tools/Techniques
- Identity and Access Management (IAM) exploitation.
- Techniques that leverage legitimate system processes (Living Off the Land).
- Unified Security Platforms (e.g., CrowdStrike Falcon® cybersecurity platform).