TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Spidering Through Identity for Profit and Disruption | Huntress

2023-09-14 · Read original ↗

ATT&CK techniques detected

10 predictions
T1621Multi-Factor Authentication Request Generation
92%
“- leveraging various phishing techniques to create credential - harvesting portals spoofing popular services. once acquired, the threat actor would then attempt to impersonate legitimate users. - overcoming multi - factor authentication ( mfa ) controls through “ mfa fatigue ” te…”
T1598Phishing for Information
65%
“spidering through identity for profit and disruption | huntress on september 10, 2023, mgm resorts and gambling operations in las vegas faced widespread disruption and loss of it functionality. the action was subsequently linked to an entity referred to as “ scattered spider, ” a…”
T1078Valid Accounts
54%
“and their associated behaviors are in constant coevolution with defender actions and capabilities. as defenders have gained increasing visibility into monitored environments and deployed various tools to identify clearly ( or likely ) malicious activity within these networks, adv…”
T1111Multi-Factor Authentication Interception
50%
“- leveraging various phishing techniques to create credential - harvesting portals spoofing popular services. once acquired, the threat actor would then attempt to impersonate legitimate users. - overcoming multi - factor authentication ( mfa ) controls through “ mfa fatigue ” te…”
T1078Valid Accounts
47%
“coverage to areas threat actors increasingly target. obviously, this action is not as easy as simply saying, “ users should take more training on social engineering, ” but if applied robustly and accurately, a combination of monitoring and defense against user identity abuse will…”
T1556.006Multi-Factor Authentication
46%
“- leveraging various phishing techniques to create credential - harvesting portals spoofing popular services. once acquired, the threat actor would then attempt to impersonate legitimate users. - overcoming multi - factor authentication ( mfa ) controls through “ mfa fatigue ” te…”
T1566.002Spearphishing Link
39%
“as demonstrated in the las vegas events. attack the user to breach the organization while information on the two las vegas intrusions is still emerging ( as of this writing ), the link to scattered spider as, at minimum, an initial access broker enabling follow - on ransomware op…”
T1021Remote Services
34%
“and their associated behaviors are in constant coevolution with defender actions and capabilities. as defenders have gained increasing visibility into monitored environments and deployed various tools to identify clearly ( or likely ) malicious activity within these networks, adv…”
T1621Multi-Factor Authentication Request Generation
32%
“the case of scattered spider actions, applying methodologies such as user logon profiling ( e. g., geographic and logical location profile for typical logon activity ), monitoring for actions highly correlated with account takeover or abuse activity, or identifying and correlatin…”
T1078Valid Accounts
31%
““ boundary ” exists between the internal network environment and the untrusted external internet. from an internal monitoring and hardening perspective, various “ zero trust ” security approaches and architectures become helpful, but do not enable visibility into the areas advers…”

Summary

Dive into the recent Las Vegas casino cyberattacks linked to Scattered Spider, and learn how organizations can defend against such identify-based attacks.