Hacking collective Scattered Spider, also known as 0ktapus, UNC3944, Octo Tempest, and Scatter Swine, has redirected new attacks toward software-as-a-service applications to facilitate data exfiltration without conducting ransomware encryption, resulting in expanded targeting, reports BleepingComputer.
Intrusions aimed at corporate help desk agents involved using social engineering lures purporting to be from legitimate users needing multi-factor authentication reset assistance to obtain initial access to the targeted environment, according to a report from Google-owned cybersecurity firm Mandiant.
Okta single sign-on permissions were then leveraged to exploit cloud and SaaS apps, as well as perform internal reconnaissance efforts, with Scattered Spider later ensuring persistence through the establishment of new Azure- and vSphere-based virtual machines before deactivating Microsoft Defender, researchers said. Further persistence has been achieved by Scattered Spider through certificates obtained from Active Directory Federated Services and a Golden SAML attack.
Organizations have been urged to bolster SaaS app and virtual machine infrastructure monitoring, as well as implement more robust access policies to mitigate such attacks.