Within the wake of high-profile assaults on UK retailers Marks & Spencer and Co-op, Scattered Spider has been everywhere in the media, with protection spilling over into the mainstream information because of the severity of the disruption induced — presently wanting like tons of of thousands and thousands in misplaced income for M&S alone.
This protection is extraordinarily priceless for the cybersecurity group because it raises consciousness of the battles that safety groups are combating day-after-day. But it surely’s additionally created numerous noise that may make it difficult to know the large image.
The headline story from the current marketing campaign in opposition to UK retailers is using assist desk scams. This usually entails the attacker calling up an organization’s assist desk with some degree of knowledge — at minimal, PII that permits them to impersonate their sufferer, and typically a password, leaning closely on their native English-speaking talents to trick the assistance desk operator into giving them entry to a person account.
Assist Desk Scams 101
The aim of a assist desk rip-off is to get the assistance desk operator to reset the credentials and/or MFA used to entry an account so the attacker can take management of it. They will use a wide range of backstories and ways to get that finished, however more often than not it is so simple as saying “I’ve received a brand new cellphone, are you able to take away my current MFA and permit me to enroll a brand new one?”
From there, the attacker is then despatched an MFA reset hyperlink by way of e-mail or SMS. Often, this is able to be despatched to, for instance, a quantity on file — however at this level, the attacker has already established belief and bypassed the assistance desk course of to a level. So asking “Are you able to ship it to this e-mail handle” or “I’ve really received a brand new quantity too, are you able to ship it to…” will get this despatched on to the attacker.
At this level, it is merely a case of utilizing the self-service password reset performance for Okta or Entra (which you may get round since you now have the MFA issue to confirm your self), and voila, the attacker has taken management of the account.
And the very best half? Most assist desks have the identical course of for each account — it would not matter who you are impersonating or which account you are attempting to reset. So, attackers are particularly focusing on accounts more likely to have top-tier admin privileges — that means as soon as they get in, progressing the assault is trivial, and far of the everyday privilege escalation and lateral motion is faraway from the assault path.
So, assist desk scams have proved to be a dependable means of bypassing MFA and attaining account takeover — the foothold from which to launch the remainder of an assault, resembling stealing information, deploying ransomware, and so on.
Do not be fooled — this is not a brand new improvement
However one thing that is not fairly coming throughout within the reporting is that Scattered Spider has been doing this efficiently since 2022, with the M&S and Co-op assaults merely the tip of the iceberg. Vishing (calling a person to get them to surrender their MFA code) has been part of their toolkit for the reason that starting, with the early assaults on Twilio, LastPass, Riot Video games, and Coinbase involving some type of voice-based social engineering.
Notably, the high-profile assaults on Caesars, MGM Resorts, and Transport for London all concerned calling a assist desk to reset credentials because the preliminary entry vector.
Caesars in August 2023 the place hackers impersonated an IT person and satisfied an outsourced assist desk to reset credentials, after which the attacker stole the client loyalty program database and secured a $15m ransom cost.
MGM Resorts in September 2023, the place the hacker used LinkedIn info to impersonate an worker and reset the worker’s credentials, leading to a 6TB information theft. After MGM refused to pay, the assault ultimately resulted in a 36-hour outage, a $100m hit, and a class-action lawsuit settled for $45m.
Transport for London in September 2024 resulted in 5,000 customers’ financial institution particulars being uncovered, 30,000 employees required to attend in-person appointments to confirm their identities and reset passwords, and vital disruption to on-line companies lasting for months.
So not solely have Scattered Spider (and different menace teams) been utilizing these strategies for a while, however the severity and affect of those assaults have been ramping up.
Avoiding assist desk gotchas
There’s numerous recommendation for securing assist desks being circulated, however a lot of the recommendation nonetheless ends in a course of that’s both phishable or tough to implement.
Finally, organizations must be ready to introduce friction to their assist desk course of and both delay or deny requests in conditions the place there’s vital danger. So, for instance, having a course of for MFA reset that acknowledges the danger related to resetting a high-privileged account:
Require multi-party approval/escalation for admin-level account resets
Require in-person verification if the method cannot be adopted remotely
Freeze self-service resets when suspicious conduct is encountered (this is able to require some form of inner course of and consciousness coaching to boost the alarm if an assault is suspected)
And be careful for these gotchas:
If you happen to obtain a name, good apply is to terminate the decision and dial the quantity on file for the worker. However, in a world of SIM swapping, this is not a foolproof answer — you would simply be re-dialing the attacker.
In case your answer is to get the worker on digicam, more and more subtle deepfakes can thwart this method.
However, assist desks are a goal for a motive. They’re “useful” by nature. That is normally mirrored in how they’re operated and efficiency measured — delays will not enable you to to hit these SLAs! Finally, a course of solely works if workers are prepared to stick to it — and cannot be socially engineered to interrupt it. Assist desks which are faraway from day-to-day operations (particularly when outsourced or offshored) are additionally inherently prone to assaults the place workers are impersonated.
However, the assaults we’re experiencing in the mean time ought to give safety stakeholders loads of ammunition as to why assist desk reforms are very important to securing the enterprise (and what can occur in case you do not make adjustments).
Evaluating assist desk scams with different approaches
Taking a step again, it is value occupied with how assist desk scams match into the broader toolkit of ways, strategies and procedures (TTPs) utilized by menace actors like Scattered Spider.
Scattered Spider has closely relied on identity-based TTPs since they first emerged in 2022, following a repeatable path of bypassing MFA, attaining account takeover on privileged accounts, stealing information from cloud companies, and deploying ransomware (principally to VMware environments).
Credential phishing by way of e-mail and SMS (smishing) to reap passwords en masse
Utilizing SIM swapping (the place you get the provider to switch a quantity to your attacker-controlled SIM card) to bypass SMS-based MFA
Utilizing MFA fatigue (aka. push bombing) to bypass app-based push authentication
Utilizing vishing (i.e. straight calling a sufferer to social engineer their MFA code, versus a assist desk assault)
Social engineering area registrars to take management of the goal group’s DNS, hijacking their MX data and inbound mail, and utilizing this to take over the corporate’s enterprise app environments
And latterly, utilizing MFA-bypass AiTM phishing kits like Evilginx to steal stay person classes, bypassing all frequent types of MFA (except WebAuthn/FIDO2)
Scattered Spider phishing pages working Evilginx. Supply: Researchers at SilentPush
So, assist desk scams are an essential a part of their toolkit, but it surely’s not the entire image. Strategies like AiTM specifically have spiked in reputation this yr as a dependable and scalable means of bypassing MFA and attaining account takeover, with attackers utilizing these toolkits because the de facto customary, getting artistic of their detection evasion strategies and in some instances, evading customary supply vectors like e-mail altogether to make sure the success of their phishing campaigns.
Study extra about how trendy phishing kits are evading detection controls on this on-demand webinar from Push Safety.
Scattered Spider are consciously evading established safety controls
So, there’s extra to Scattered Spider’s toolkit than simply assist desk scams. In truth, their method will be broadly labeled as consciously evading established controls on the endpoint and community layer by focusing on identities.
From the purpose of account takeover, additionally they observe repeatable patterns:
Harvesting and exfiltrating information from cloud and SaaS companies, the place monitoring is often much less constant than conventional on-premise environments, and exfiltration typically blends in with regular exercise. Many organizations merely haven’t got the logs or visibility to detect malicious exercise within the cloud anyway, and Scattered Spider have additionally been seen tampering with cloud logs (e.g. filtering dangerous AWS CloudTrail logs, however not disabling it totally in order to not elevate suspicion).
Focusing on VMware environments for ransomware deployment. They do that by including their compromised person account to the VMware admins group in VCentre (if wanted — they’re going after accounts with prime tier privileges by default). From right here, they’ll entry the VMware setting by way of the ESXi hypervisor layer, the place safety software program is nonexistent — thereby bypassing EDR and different typical endpoint and host primarily based controls you depend on to stop ransomware execution.
The important thing theme? Getting round your established safety controls.
Conclusion
You’ll be able to consider Scattered Spider as a form of “post-MFA” menace actor that does the whole lot they’ll to evade established safety controls. By focusing on identities and account takeovers, they bypass endpoint and community surfaces as a lot as potential, till the very finish of the assault chain — by which level it is nearly too late to be counting on these controls.
So, do not over-index on assist desk scams — it is advisable to take into account your broader id assault floor and varied intrusion strategies, from apps and accounts with MFA gaps, native accounts giving attackers a backdoor into accounts in any other case accessed with SSO, and MFA-bypassing AiTM phishing kits which are the brand new regular for phishing assaults.
Defend your group from Scattered Spider TTPs (not simply assist desk scams)
To study extra about Scattered Spider’s identity-first toolkit, which is more and more being adopted as customary by menace teams, take a look at the most recent webinar from Push Safety — now accessible on-demand!
Learn the way Push Safety stops id assaults
Push Safety offers complete id assault detection and response capabilities in opposition to strategies like AiTM phishing, credential stuffing, password spraying and session hijacking utilizing stolen session tokens. You can too use Push to search out and repair id vulnerabilities throughout each app that your workers use, like: ghost logins; SSO protection gaps; MFA gaps; weak, breached and reused passwords; dangerous OAuth integrations; and extra.
If you wish to study extra about how Push helps you detect and defeat frequent id assault strategies, ebook a while with considered one of our group for a stay demo.
Discovered this text attention-grabbing? This text is a contributed piece from considered one of our valued companions. Observe us on Twitter and LinkedIn to learn extra unique content material we submit.
