Understanding Scattered Spider, and how they perform cloud-centric identity attacks

/in


Scattered Spider is an active cyber-attack group that goes by many names. You might hear them referred to as Starfraud, UNC3944, Scatter Swine, Octo Tempest, Muddled Libra, and of course, Scattered Spider. Their focus is on developing playbooks that result in reproducible (mainly identity-based) attacks with high success rates.

While many attackers use identity to infiltrate organizations, Scattered Spider has become especially effective at bypassing MFA and getting in through cloud identities. They transition into living-off-the-land attacks that span the entirety of the enterprise: cloud, network, and everything an identity touches.

What does Scattered Spider do?

Scattered Spider has a history of both traditional and hybrid attacks on cloud enterprise environments. Their goal is to target data wherever it is the most valuable.

Their ransomware strategy focuses on denial of service and extortion for stolen data. By encrypting systems and blocking access, they shut down operations from the inside, making it hard to do business. Ultimately, they exfiltrate the data and demand payment or threaten to release or use the data against you.

Cloud-centric Scattered Spider attacks

Image based on Mandiant SIM swapping documentation

In this documented attack example, Scattered Spider exploited the Entra ID identity through SMS phishing. They used this to pivot into Azure’s platform-as-a-service (PaaS), which they then used to connect directly to Azure IaaS where they deployed the command and control that brought the attacker into the IaaS. They were able to span multiple attack surfaces with minimal preventative measures in place to stop them.

Scattered Spider is highly effective at accessing and abusing identity

The diagram below shows the documented cloud identity techniques used by this attack group. There is the traditional MITRE view of the identity techniques Scattered Spider has available to them in the cloud, such as SIM swap, MFA bombing, voice phishing, etc. Once they’ve bypassed MFA, they register persistence at the device level and the tenant level, manipulate accounts, and begin harvesting data. Ultimately, it’s not just identity tactics at play; they span the gamut of the…

Source…

TVC inspects cyber security | Local News

/in


TRAVERSE CITY — Cherry Capital Airport will explore its data and computer systems security through a “vulnerability study” authorized by the Northwest Regional Airport Authority Board.

The board recently approved a $9,600 contract with Traverse City-based Windemuller Electric — the airport’s information technology or IT contractor — to conduct a vulnerability assessment of the airport’s computer network with an internal audit of its digital systems.

“Obviously, cyber security is very important these days,” said Bob Nelesen, TVC’s airport engineer and zoning administrator. “We’re highly proactive in terms of our cyber security concerns.”

Cyber security breaches within public institutions have made local headlines in recent weeks following a massive disruption of the computer network at Traverse City Area Public Schools that shut down the school system for two days in early April, and prompted an ongoing investigation into the hack by state and federal authorities.

Nelesen said the airport’s cyber security inspection wasn’t prompted by that incident, but that industry standards set by the Department of Homeland Security and the National Institute of Standards and Technology require airports to conduct annual cyber security inspections to maintain the necessary security levels.

Nelesen said the airport also works with the State Police’s Michigan Cyber Security Command — which is also involved in the TCAPS hacking investigation — on cyber security measures.

Nelesen said the Department of Homeland Security and NIST — which is a branch of the U.S. Department of Commerce that sets technology measures and standards to enhance security in fast-evolving sectors such as nanotechnology, quantum information science and homeland security — implemented new cyber security requirements for airports two years ago.

“I would say we’ve had good IT procedures in place,” he said. But as the airport continues to expand in terms of more airline services providers and more activity…

Source…

Chinese Botnet As-A-Service Bypasses Cloudflare

/in


A large botnet-as-a-service network originating from China was discovered, which comprises numerous domains, over 20 active Telegram groups, and utilizes other domestic communication channels. 

The infrastructure that supports this botnet, located in China, raises concerns about the potential for large-scale, coordinated attacks. Botnets are collections of compromised devices that attackers can remotely control. 

The attackers can then use the botnet’s combined processing power to disrupt operations, steal data, or launch denial-of-service attacks that overwhelm targeted systems with traffic, rendering them inaccessible to legitimate users.

Even if a target is using these well-known DDoS protection services, it is still at risk of being offline due to a denial-of-service attack because a group has developed strategies and a botnet that can bypass the most recent DDoS protection solutions from CloudFlare and other vendors.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

The technical particulars of how the methods and botnets operate are not known to the general public; however, it is evident that they are successful in evading the defenses that are currently in place. 

Malicious actors within online groups target European companies’ domain names across various sectors, which act as unique identifiers for company websites and online presence. 

By compromising these domains, attackers could potentially redirect users to fraudulent websites designed to steal data or spread malware, highlighting the Domain Name System (DNS) vulnerability. This infrastructure translates domain names into IP addresses. 

Protecting these domains and implementing stringent DNS security measures is absolutely necessary for European businesses to safeguard their online operations and customers’ trust. 

Screenshot of one of the channel

A report by EPCYBER alleges that a website was able to launch a DDoS attack against itself, successfully bypassing CloudFlare’s latest DDoS protection measures by raising concerns about a potential vulnerability in CloudFlare’s system. 

DDoS attacks work by overwhelming a target system with a deluge of…

Source…

A third of Americans could have had data stolen in big health care hack

/in


Kent Nishimura/Getty Images

UnitedHealth CEO Andrew Witty testifies before the Senate Finance Committee on Capitol Hill in Washington, DC, on May 1, 2024. In February, hackers stole health and personal data of what UnitedHealth says is “potentially a substantial proportion” of patient information from its systems.



CNN
 — 

A third of Americans may have had their personal data swept up in a February ransomware attack on a UnitedHealth Group subsidiary that disrupted pharmacies across the US, UnitedHealth CEO Andrew Witty estimated in testimony to Congress on Wednesday.

It will likely take “several months” before UnitedHealth is able to identify and notify Americans impacted by the hack because the company is still combing through the stolen data, Witty said in written testimony.

In hours of hearings in the Senate and House Wednesday, Witty apologized to patients and doctors, admitted that hackers broke into the subsidiary through a poorly protected computer server and confirmed that he authorized a $22 million ransom payment to the hackers.

The testimony shows that the scope of what experts consider to be the most significant health care cyberattack in US history is even bigger than previously known. And the hacking incident has led some lawmakers to call for cybersecurity regulations for health care companies.

The February ransomware attack paralyzed computers that Change Healthcare, the UnitedHealth subsidiary, uses to process medical claims across the country. Health providers were cut off from billions of dollars in payments, according to one hospital association, and some health clinics told CNN they were close to running out of money. The Department of Health and Human…

Source…