US Enterprises Targeted: Silent Push Unmasks Scattered Spider’s Phishing Web

Scattered Spider threat groups

In today’s digital era, the cyber threat landscape is continually evolving, with sophisticated threat groups like Scattered Spider emerging as significant players. This financially motivated group has been active since the second quarter of 2022, gaining notoriety for its intricate social engineering attacks aimed at extracting login credentials and multi-factor authentication (MFA) tokens from employees of targeted organizations.

Scattered Spider’s approach is characterized by complex social engineering tactics. They initiate attacks with persistent SMS phishing messages aimed at current and former employees of the targeted organization. This approach has led to hundreds of incidents, including high-profile breaches like the Twilio/Okta breach of August 2022 and the MGM breach of September 2023, causing substantial financial and reputational damage.

The infrastructure used by Scattered Spider is as elusive as their methods. They host phishing pages on short-lived domains created using bitcoin-friendly services, often featuring typosquatted versions of the targeted brands. This technique allows them to maintain a low profile while executing their attacks. The use of US registrars and providers, coupled with their focus on US enterprises, indicates a targeted approach towards American entities.

In a strategic move to evade detection, Scattered Spider parks malicious domains before weaponization, thus avoiding reputation degradation. Their phishing kits are sophisticated, using techniques like silent push HTML header and favicon scans to pinpoint phishing kits across hundreds of new domains.

“Historical scan results also revealed that the domain was aged, given that it displayed the Hostinger parked paged in the days prior to the attack. The threat actor likely uses this technique to avoid reputation degradation across global scoring systems,” the researcher wrote.

A typical attack by Scattered Spider follows a pattern where data is exfiltrated once login credentials are obtained. This facilitates lateral or elevated network movement, often using advanced techniques like a signed driver to terminate security processes and VM admin console access through Azure Serial Console.

Recently, Silent Push DNS and content scans have unveiled new infrastructural developments within Scattered Spider. This includes the reuse of their 2022 infrastructure to propagate new attacks and the discovery of hundreds of new domains through advanced scanning methods.

Scattered Spider’s primary motivation is the propagation of secondary attacks across the user base of the affected company and its supply chain. Their focus on organizations with a large downstream user base, such as telecommunications providers, software/technology companies, and Business Process Outsourcing (BPO) providers, reveals a calculated approach to maximize impact.

To counteract the threat posed by Scattered Spider, Silent Push offers an array of tools for early detection and monitoring of their infrastructure. This includes the use of specific queries and on-demand endpoint scans to detect and monitor brand spoofing campaigns.

As Scattered Spider continues to adapt and evolve its strategies, organizations must stay vigilant and employ advanced threat detection and prevention methods. The rise of such sophisticated cyber threats underscores the need for continuous innovation in cybersecurity strategies and tools.