Full Report
The notorious cybercrime collective known as Scattered LAPSUS$ Hunters (SLH) has been observed offering financial incentives to recruit women to pull off social engineering attacks. The idea is to hire them for voice phishing campaigns targeting IT help desks, Dataminr said in a new threat brief. The group is said to be offering anywhere between $500 and $1,000 upfront per call, in addition to
Analysis Summary
# Threat Actor: Scattered LAPSUS$ Hunters (SLH)
## Attribution & Identity
**Actor:** Scattered LAPSUS$ Hunters (SLH)
**Associated Groups:** A high-profile cybercrime supergroup comprising elements of **LAPSUS$**, **Scattered Spider**, and **ShinyHunters**.
**Alias Tracking:** Scattered Spider is also tracked by Palo Alto Networks Unit 42 under the moniker **Muddled Libra**.
## Activity Summary
SLH is actively recruiting women, offering $500 to $1,000 upfront per successful voice phishing call, to conduct social engineering attacks. These campaigns specifically target IT help desks. The group aims to leverage gender profiles often not associated with traditional attackers to increase the success rate of impersonation. The ultimate goal of these initial access efforts appears to be breaching companies, which historically has led to lateral movement, privilege escalation, data exfiltration, and, in some cases, ransomware deployment.
## Tactics, Techniques & Procedures
- **Social Engineering:** Highly proficient at exploiting human psychology, impersonating employees to request password resets or MFA changes.
- **Voice Phishing (Vishing):** Specifically creating campaigns targeting IT help desks, utilizing pre-written scripts.
- **Identity Compromise:** Focus on bypassing Multi-Factor Authentication (MFA) via techniques such as **MFA prompt bombing** and **SIM swapping**.
- **Initial Access Execution:** Posing as employees to convince help desks to install Remote Monitoring and Management (RMM) tools for remote access.
- **Lateral Movement & Privilege Escalation:** Observed moving into virtualized environments post-breach to escalate privileges.
- **Data Exfiltration:** Attempting to exfiltrate sensitive corporate data, including Outlook mailbox files and data from Snowflake databases.
- **Infrastructure Use:** Leveraging legitimate services and residential proxy networks (e.g., Luminati and OxyLabs) to maintain a low profile.
- **Tool Use:** Utilizing tunneling tools (Ngrok, Teleport, Pinggy) and free file-sharing services (file.io, gofile.io, mega.nz, transfer.sh).
- **Cloud Environment Exploitation:** Extensive history of targeting Microsoft Azure environments using the Graph API for resource access.
- **Reconnaissance:** Employing tools like ADRecon for Active Directory enumeration, often after gaining initial access via a VM deployment.
## Targeting
- **Sectors:** General corporate environments across various sectors, specifically focusing on organizations with accessible IT help desks/call centers.
- **Geography:** Not specified, but targets rely on remote access methods and cloud infrastructure.
- **Victims:** Companies susceptible to identity-based attacks and reliance on help desk support for access and credential changes. One specific case involved reconnaissance against Active Directory and Snowflake databases.
## Tools & Infrastructure
- **Identity/Network Obfuscation:** Luminati, OxyLabs (Residential Proxies).
- **Tunneling/Connection:** Ngrok, Teleport, Pinggy.
- **File Sharing (C2/Drop):** file.io, gofile.io, mega.nz, transfer.sh.
- **Reconnaissance/Enumeration:** ADRecon.
- **Cloud Exploitation:** Microsoft Graph API.
## Implications
SLH demonstrates a calculated evolution by specifically recruiting female voices for vishing, suggesting an attempt to subvert existing security biases held by help desk personnel. This recruitment drive enhances their ability to gain initial access through manipulation, which is their primary entry vector. Their integration of advanced network evasion techniques (proxies) with proven post-access lateral movement makes them a significant, multi-stage threat, capable of leading to ransomware or major data theft.
## Mitigations
- **Help Desk Training:** Train IT help desk and support personnel specifically on recognizing and handling social engineering attempts involving polished voice impersonation and pre-written scripts.
- **Strict Identity Verification:** Enforce rigorous, multi-factor verification processes that go beyond voice confirmation for sensitive actions (password resets, RMM installation).
- **MFA Hardening:** Shift away from easily compromised MFA methods (like SMS) towards strong, phishing-resistant authentication factors.
- **Logging and Auditing:** Increase monitoring and auditing of logs for post-help desk interactions, specifically watching for new user creation or administrative privilege escalations.