Saturday, December 14, 2024
HomeCyber Security NewsNew Developer-As-A-Service In Hacking Forums Empowering Phishing And Cyberattacks

New Developer-As-A-Service In Hacking Forums Empowering Phishing And Cyberattacks

Published on

SIEM as a Service

SCATTERED SPIDER, a ransomware group, leverages cloud infrastructure and social engineering to target insurance and financial institutions by using stolen credentials, SIM swaps, and cloud-native tools to gain and maintain access, impersonating employees to deceive victims. 

Their partnership with BlackCat has enhanced their ability to target Western organizations due to their understanding of Western business practices.

It frequently exploits leaked cloud authentication tokens to gain unauthorized access to corporate networks, which are often inadvertently exposed in public repositories, providing attackers with a means to automate and scale their attacks against cloud infrastructure.

- Advertisement - SIEM as a Service
Example of AWS token leak in GitHub 

It is using phishing and smishing campaigns to target high-privileged accounts in cloud services like Microsoft Entra ID and AWS EC2 and also targeting SaaS platforms like Okta, ServiceNow, and VMware Workspace ONE using phishing pages that mimic SSO portals.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Smishing campaigns are used to trick victims into clicking malicious links that lead to phishing websites aimed at stealing login credentials and intercepting OTPs.

Typosquatted domain and Phishing against
US-based financial services.

Credential stealers are used by SCATTERED SPIDER to harvest cloud service authentication tokens from victims’ devices, which are then sold on underground forums, allowing attackers to gain unauthorized access to cloud resources like AWS, Azure, and GCP.

SCATTERED SPIDER employs SIM swapping to bypass MFA on SaaS applications, gaining access to cloud infrastructures.

Threat actors create unauthorized VMs to evade detection and steal data, abusing legitimate cloud tools for remote command execution and data transfer.

AWS Tokens being sold on underground forms.

Telecom Enemies, a DaaS group, offers phishing kits and tools like Gorilla Call Bot. SCATTERED SPIDER members use their services for malicious activities, targeting various services like Coinbase and Gmail. 

Telecom Enemies’ tools are widely promoted on Telegram and sold on underground forums, with members specializing in web app exploitation, network infiltration, and malware development. 

By employing open-source tools to gather information from cloud environments, it focuses on Active Directory and Microsoft 365, which are aimed at identifying valuable data, compromising additional accounts, escalating privileges, and moving laterally across the network. 

The attackers target password management tools, network architecture, VDI/VPN configurations, PAM solutions, personnel information, third-party data, and extortion-related data.

Example detections of
reconnaissance tools and scripts.

It leverages Cross-Tenant Synchronization (CTS) and federated identity providers to maintain persistent access in Microsoft Entra ID environments. 

Attackers compromise privileged accounts to configure CTS and create malicious federated domains, allowing them to provision malicious accounts and generate forged authentication tokens. 

According to EclecticIQ, they also employ RMM tools and protocol tunneling to establish remote connections and bypass network defenses.

Linux version of the BlackCat Ransomware
downloading itself from BlackBaze.

SCATTERED SPIDER employs various techniques to evade detection and disable security measures, including using residential proxies, disabling security tools, creating virtual machines, and exploiting cloud identity systems. 

Employing automated scripts to target VMware ESXi and Azure compromises security by altering root passwords and disabling tools before encrypting data. 

Organizations can mitigate risks by strengthening authentication, closely monitoring suspicious activity, and implementing comprehensive cloud security measures.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...