Scattered Spider Getting SaaS-y within the Cloud

LUCR-3 overlaps with teams akin to Scattered Spider, Oktapus, UNC3944, and STORM-0875 and is a financially motivated attacker that leverages the Id Supplier (IDP) as preliminary entry into an atmosphere with the objective of stealing Mental Property (IP) for extortion. LUCR-3 targets Fortune 2000 firms throughout numerous sectors, together with however not restricted to Software program, Retail, Hospitality, Manufacturing, and Telecoms.

LUCR-3 doesn’t rely closely on malware and even scripts; as a substitute, LUCR-3 expertly makes use of victims’ personal instruments, purposes, and sources to attain their targets. At a excessive degree, Preliminary Entry is gained by compromising present identities within the IDP (Okta: Id Cloud, Azure AD / Entra, Ping Id: PingOne). LUCR-3 makes use of SaaS purposes akin to doc portals, ticketing programs, and chat purposes to learn the way the sufferer group operates and how you can entry delicate info. Utilizing the information they gained from reconnaissance inside the SaaS purposes, they then perform their mission of information theft. Knowledge theft is usually targeted on IP, Code Signing Certificates, and buyer information.

Attacker Attributes

Highlights

• LUCR-3 attribution is troublesome. Many people within the Cyber Intelligence group have even begun to trace the person personas individually. Additional complicated attribution, some LUCR-3 personas seem like associates of ALPHV with entry to deploy BlackCat ransomware.
• Very similar to LUCR-1 (GUI-Vil), LUCR-3 tooling, particularly in Cloud, SaaS, and CI/CD, principally makes use of net browsers and a few GUI utilities akin to S3 Browser. Leveraging the native options of purposes, similar to any worker would do, to hold out their objective.
• LUCR-3 closely targets the IDPs for Preliminary Entry. Shopping for creds from frequent marketplaces and bypassing MFA by way of SIM swapping, social engineering, and push fatigue.
• LUCR-3 does its homework on its preliminary entry victims, selecting identities that can have elevated privileges and even guaranteeing they supply from related geolocation as their sufferer identities to keep away from unattainable journey (geo disparity) alerts.
• LUCR-3 will make the most of the sufferer organizations software program deployment options, akin to SCCM, to deploy specified software program to focus on programs.

Mission

LUCR-3 is a financially motivated risk actor that makes use of information theft of delicate information (IP, Buyer information, Code Signing Certificates) to try extortion. Whereas extortion calls for do range, they’re typically within the tens of hundreds of thousands of {dollars}. Some personas inside LUCR-3 will typically collaborate with ALPHV to hold out the extortion section of the assault.

Tooling

LUCR-3 makes use of principally Home windows 10 programs working GUI utilities to hold out their mission within the cloud. Utilizing the native options of SaaS purposes akin to search, LUCR-3 is ready to navigate by a corporation with out elevating any alarms. In AWS, the risk actor routinely leverages the S3 Browser (model 10.9.9) and the AWS administration console (by way of an online browser). LUCR-3 makes use of AWS Cloudshell inside the AWS administration console to hold out any exercise that requires direct interplay with the AWS API.

Victimology

LUCR-3 typically targets massive (Fortune 2000) organizations which have Mental Property (IP) that’s helpful sufficient that sufferer organizations are more likely to pay an extortion price. Software program firms are a typical goal as they goal to extort a price associated to the theft of supply code in addition to code signing certificates. LUCR-3 will typically goal organizations that may be leveraged in a provide chain assault towards others. Id Suppliers and their outsourced providers firms are regularly focused as a singular compromise of one in every of these entities will enable for entry into a number of different organizations. In current months, LUCR-3 has expanded its concentrating on into sectors they have not beforehand targeted as a lot on, akin to hospitality, gaming, and retail.

Attacker Lifecycle

AWS Attacker Lifecycle

Preliminary Recon

LUCR-3 does their homework when deciding on their goal sufferer identities. They guarantee they’re concentrating on customers that can have the entry they should perform their mission. This contains however shouldn’t be restricted to Id Admins, Builders, Engineers, and the Safety group.

They’ve been recognized to leverage credentials that have been obtainable in frequent deep net marketplaces.

Preliminary Entry (IA)

LUCR-3’s preliminary entry into an atmosphere is gained by compromised credentials. They don’t seem to be performing noisy actions like password spraying to search out passwords. Once they join, they have already got a reliable password to make use of. The everyday method for them is:

1. Determine credentials for the meant sufferer identification

• Purchase credentials from frequent deepweb marketplaces
• Smishing victims to gather their credentials
• Social engineering assist desk personnel to achieve entry to the credentials

2. Bypass Multi-factor Authentication (MFA)

• SIM Swapping (when SMS OTP is enabled)
• Push Fatigue (when SMS OTP shouldn’t be enabled)
• Phishing assaults with redirects to reliable websites the place OTP codes are captured and replayed
• Purchase or social engineer entry from an insider (final resort)

3. Modify MFA settings

• Register a brand new gadget
• Add various MFA choices

When LUCR-3 modifies MFA settings, they typically register their very own cell gadget and add secondary MFA choices akin to emails. Indicators to observe for listed here are:

• When a person registers a tool that’s in a distinct ecosystem than their earlier gadget (Android to Apple for example)
• When a person registers a brand new gadget that’s an older mannequin than their earlier gadget
• When a single cellphone (gadget ID) is assigned to a number of identities
• When an exterior e-mail is added as a multi-factor choice

Recon (R)

R-SaaS

With the intention to perform their objective of information theft, ransom, and extortion, LUCR-3 should perceive the place the vital information is and how you can get to it. They carry out these duties very similar to any worker would. Looking out by and viewing paperwork in numerous SaaS purposes like SharePoint, OneDrive, information purposes, ticketing options, and chat purposes permits LUCR-3 to study an atmosphere utilizing native purposes with out setting off alarm bells. LUCR-3 makes use of search phrases focused at discovering credentials, studying concerning the software program deployment environments, code signing course of, and delicate information.

R-AWS

In AWS, LUCR-3 performs recon in a number of methods. They are going to merely navigate across the AWS Administration Console into providers like Billing, to grasp what forms of providers are being leveraged, after which navigate every of these providers within the console. Moreover, LUCR-3 needs to know what packages are working on the compute programs (EC2 cases) in a corporation. Leveraging Methods Supervisor (SSM), LUCR-3 will run the native AWS-GatherSoftwareInventory job towards all EC2 cases, returning the software program working on the EC2 cases. Lastly, LUCR-3 will leverage the GUI utility S3 Browser together with a long-lived entry key to view obtainable S3 buckets.

Privilege Escalation (PE)

LUCR-3 typically chooses preliminary victims who’ve the kind of entry vital to hold out their mission. They don’t at all times have to make the most of privilege escalation strategies, however we have now noticed them accomplish that every so often in AWS environments.

PE-AWS

LUCR-3 has utilized three (3) fundamental strategies for privilege escalation in AWS:

1. Coverage manipulation: LUCR-3 has been seen modifying the coverage of present roles assigned to EC2 cases ( ReplaceIamInstanceProfileAssociation ) in addition to creating new ones with a full open coverage.
2. UpdateLoginProfile: LUCR-3 will replace the login profile and, every so often, create one if it would not exist to assign a password to an identification to allow them to leverage it for AWS Administration Console logons.
3. SecretsManager Harvesting: Many organizations retailer credentials in SecretsManger or Terraform Vault for programmatic entry from their cloud infrastructure. LUCR-3 will leverage AWS CloudShell to scrape all credentials which can be obtainable in SecretsManager and related options.

Set up Persistence/ Preserve Presence (EP)

LUCR-3, like most attackers, needs to make sure that they’ve a number of methods to enter an atmosphere within the occasion that their preliminary compromised identities are found. In a contemporary cloud world, there are numerous methods to attain this objective, and LUCR-3 employs a myriad to take care of its presence.

EP-AzureAD/Okta

After having access to an identification within the IDP (AzureAD, Okta, and so forth.), LUCR-3 needs to make sure they will simply proceed to entry the identification. So as to take action, they may typically carry out the next actions:

1. Reset/Register Issue: LUCR-3 will register their very own gadget to ease their means for continued entry. As talked about beforehand, look ahead to ecosystem switches for customers in addition to single units which can be registered to a number of customers.
2. Alternate MFA: Many IDPs enable for alternate MFA choices. LUCR-3 will benefit from these options to register exterior emails as an element. They’re good about selecting a reputation that aligns with the sufferer’s identification.
3. Sturdy Authentication Kind: In environments the place the default setting is to not enable for SMS as an element, LUCR-3 will modify this setting if they can. In AzureAD, you’ll be able to monitor for this by searching for the StrongAuthenticationMethod altering from a 6 (PhoneAppOTP) to a 7 (OneWaySMS)

EP-AWS

To take care of persistence in AWS, LUCR-3 has been noticed performing the next:

1. CreateUser: LUCR-3 will try and create IAM Customers when obtainable. They select names that align with the sufferer identification they’re utilizing for preliminary entry into the atmosphere.
2. CreateAccessKey: LUCR-3 will try and create entry keys for newly created IAM Customers in addition to present IAM Customers that they will then use programmatically. Like GUI-Vil (LUCR-1), the entry keys which can be created are sometimes inputted into the S3 Browser to work together with S3 buckets.
3. CreateLoginProfile / UpdateLoginProfile: LUCR-3, when attempting to be extra stealthy or when they don’t have entry to create new IAM customers, will try and create or replace login profiles for present customers. Login profiles are what assign a password to an IAM Person and permit for console entry. This system additionally lets the attacker achieve the privileges of the sufferer’s identification.
4. Credential Harvesting: As talked about beforehand, LUCR-3 finds nice worth in harvesting credentials from credential vaults akin to AWS SecretsManager and Terraform Vault. These typically retailer credentials not only for the sufferer organizations but in addition credentials which will enable entry to enterprise companions, expertise integrations, and even purchasers of the sufferer group.
5. Useful resource Creation: Lastly, LUCR-3 will create or take over present sources, akin to EC2 cases that may be leveraged for entry again into the atmosphere in addition to a staging space for instruments and information theft as wanted.

EP-SaaS

LUCR-3 will use all of the purposes obtainable to them to additional their objective. In ticketing programs, chat applications, doc shops, and information purposes, they may typically carry out searches searching for credentials that may be leveraged throughout their assault.

Moreover, many of those purposes enable the creation of entry tokens that can be utilized to work together with the SaaS purposes API.

EP-CI/CD

LUCR-3 will even generate entry tokens for interacting with the APIs of your code repositories, akin to GitHub and GitLab.

Protection Evasion (DE)

We now have noticed that LUCR-3 considerably focuses on protection evasion ways in numerous environments. That is clearly to keep away from detection so long as doable till they’re positive they’ve achieved their mission targets and are able to carry out ransom and extortion actions. They accomplish this by a number of means relying on the kind of atmosphere they’re in.

DE-AWS

LUCR-3 employs principally frequent protection evasion strategies in AWS, with a few distinctive flares.

1. Disable GuardDuty: LUCR-3 will carry out the standard deletion of GuardDuty detectors but in addition tries to make it more durable so as to add again to the org degree by deleting invites. That is achieved by the next three instructions: DisassociateFromMasterAccount, DeleteInvitations, DeleteDetector
2. Cease Logging: LUCR-3 additionally makes an attempt to evade AWS detections by performing DeleteTrail and StopLogging actions.
3. Serial Console Entry: This can be giving LUCR-3 an excessive amount of credit score, however we have now noticed them EnableSerialConsoleAccess for AWS accounts they’ve compromised after which try to make use of EC2 Occasion Hook up with SendSerialConsoleSSHPublicKey which is able to try to determine a serial connection to a specified EC2 occasion. This may be leveraged to keep away from community monitoring, as serial connections are hardware-based.

DE-AzureAD/Okta

LUCR-3 clearly understands that one of many extra frequent detections in place for IDPs is to observe and alert on unattainable journey. To keep away from these unattainable journey detections, LUCR-3 will be sure that they supply from the same geolocation as their sufferer identification. This appears to be principally achieved by way of using residential VPNs.

DE-M365/Google Workspace

A few of LUCR-3’s actions in an atmosphere, akin to producing tokens and opening up assist desk tickets, trigger emails to be despatched to the victims’ mailboxes. LUCR-3, already sitting in these mailboxes, will delete the emails to keep away from detection. Whereas e-mail deletion by itself is a really weak sign, searching for e-mail deletions by way of the net model of Outlook with delicate phrases like OAuth, entry token, and MFA would possibly convey to mild larger constancy indicators to comply with.

Full Mission (CM)

LUCR-3 has one objective: monetary achieve. They do that principally by extortion of delicate information that they’ve collected by way of the native instruments of the sufferer organizations’ SaaS and CI/CD purposes. In AWS, that is achieved by information theft in S3 and in database purposes akin to Dynamo and RDS.

Whereas within the SaaS world, they full their mission by looking and downloading paperwork and net pages by way of a standard net browser.

On the CI/CD facet, LUCR-3 will use the clone, archive, and think about uncooked options of Github and Gitlab to view and obtain supply information.

Indicators

Detections

Permiso purchasers are protected by the next detections: