Scattered Spider, Roasted 0ktapus, Group G1015 | MITRE ATT&CK®
Currently viewing ATT&CK v14.1 which was live between October 31, 2023 and April 22, 2024. Learn more about the versioning system or see the live site.
Thank you to Tidal Cyber and SOC Prime for becoming ATT&CK's first Benefactors. To join the cohort, or learn more about this program visit our Benefactors page.
  1. Home
  2. Groups
  3. Scattered Spider

Scattered Spider

Scattered Spider is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns Scattered Spider has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.[1][2][3]

ID: G1015
Associated Groups: Roasted 0ktapus
Version: 1.0
Created: 05 July 2023
Last Modified: 22 September 2023

Associated Group Descriptions

Name Description
Roasted 0ktapus

[2]

Campaigns

ID Name First Seen Last Seen References Techniques
C0027 C0027 June 2022 [3] December 2022 [3]

[3]

 Account Discovery: Cloud Account, Account Discovery: Email Account, Account Manipulation: Additional Cloud Roles, Account Manipulation: Device Registration, Account Manipulation: Additional Cloud Credentials, Data from Cloud Storage, Data from Information Repositories: Sharepoint, Exploit Public-Facing Application, External Remote Services, Gather Victim Identity Information: Credentials, Impersonation, Ingress Tool Transfer, Modify Cloud Compute Infrastructure: Create Cloud Instance, Multi-Factor Authentication Request Generation, Network Service Discovery, Obtain Capabilities: Tool, OS Credential Dumping: DCSync, Permission Groups Discovery: Cloud Groups, Phishing: Spearphishing Voice, Phishing for Information: Spearphishing Voice, Phishing for Information: Spearphishing Service, Protocol Tunneling, Proxy, Remote Access Software, Remote Services: Cloud Services, Valid Accounts: Cloud Accounts, Web Service, Windows Management Instrumentation
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

During C0027, Scattered Spider accessed Azure AD to identify email addresses.[3]
.004 Account Discovery: Cloud Account

During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.[3]
Enterprise T1098 .001 Account Manipulation: Additional Cloud Credentials

During C0027, Scattered Spider used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.[3]
.003 Account Manipulation: Additional Cloud Roles

During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.[3]
.005 Account Manipulation: Device Registration

During C0027, Scattered Spider registered devices for MFA to maintain persistence through victims' VPN.[3]
Enterprise T1530 Data from Cloud Storage

During C0027, Scattered Spider accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[3]
Enterprise T1213 .002 Data from Information Repositories: Sharepoint

During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.[3]
Enterprise T1190 Exploit Public-Facing Application

During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.[3]
Enterprise T1068 Exploitation for Privilege Escalation

Scattered Spider has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).[2]
Enterprise T1133 External Remote Services

Scattered Spider has leveraged legitimate remote management tools to maintain persistent access.[2]

During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments.[3]
Enterprise T1589 .001 Gather Victim Identity Information: Credentials

During C0027, Scattered Spider sent phishing messages via SMS to steal credentials.[3]
Enterprise T1656 Impersonation

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.[3]
Enterprise T1105 Ingress Tool Transfer

During C0027, Scattered Spider downloaded tools using victim organization systems.[3]
Enterprise T1578 .002 Modify Cloud Compute Infrastructure: Create Cloud Instance

During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.[3]
Enterprise T1621 Multi-Factor Authentication Request Generation

Scattered Spider has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets.[2]

During C0027, Scattered Spider attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.[3]
Enterprise T1046 Network Service Discovery

During C0027, used RustScan to scan for open ports on targeted ESXi appliances.[3]
Enterprise T1588 .002 Obtain Capabilities: Tool

During C0027, Scattered Spider obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner.[3]
Enterprise T1003 .006 OS Credential Dumping: DCSync

During C0027, Scattered Spider performed domain replication.[3]
Enterprise T1069 .003 Permission Groups Discovery: Cloud Groups

During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and their Active Directory attributes.[3]
Enterprise T1566 .004 Phishing: Spearphishing Voice

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.[3]
Enterprise T1598 Phishing for Information

Scattered Spider has used a combination of credential phishing and social engineering to capture one-time-password (OTP) codes.[2]
.001 Spearphishing Service

During C0027, Scattered Spider sent Telegram messages impersonating IT personnel to harvest credentials.[3]
.004 Spearphishing Voice

During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.[3]
Enterprise T1572 Protocol Tunneling

During C0027, Scattered Spider used SSH tunneling in targeted environments.[3]
Enterprise T1090 Proxy

During C0027, Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.[3]
Enterprise T1219 Remote Access Software

During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.[3]
Enterprise T1021 .007 Remote Services: Cloud Services

During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.[3]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Scattered Spider has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.[2]
Enterprise T1078 .004 Valid Accounts: Cloud Accounts

During C0027, Scattered Spider leveraged compromised credentials from victim users to authenticate to Azure tenants.[3]
Enterprise T1102 Web Service

During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.[3]
Enterprise T1047 Windows Management Instrumentation

During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.[3]

Software

ID Name References Techniques
S0357 Impacket During C0027, Scattered Spider used Impacket for lateral movement.[3] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, System Services: Service Execution, Windows Management Instrumentation

References

  1. CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.
  2. CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.
  1. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.