Subject: Engage Report: SCATTERED SPIDER Ransomware Operations in the Cloud
Tactics: TA0003 Persistence
Technique: T1526 Cloud Service Discovery
Procedure:
- Compromise a privileged account within the victim tenant (e.g., Global Administrator or Security Administrator).
- Establish inbound synchronization from an attacker-controlled tenant to the victim tenant.
- Provision malicious accounts within the victim tenant as needed.
- Maintain persistence and potentially move laterally across connected tenants.
Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.
Engagement Opportunity:
- Lack of Monitoring and Detection Capabilities
- Deploy monitoring tools and configure alerts to detect suspicious cross-tenant synchronization activity, such as unauthorized provisioning of new user accounts or modifications to tenant access settings.
- Create decoy tenants with enticing data to lure attackers and observe their behavior within the controlled environment.
Threat Actor: SCATTERED SPIDER
Threat Objective:
Maintain persistent access within compromised cloud environments for potential data exfiltration, ransomware deployment, or other malicious activities.
Deception Opportunity:
Create fake privileged accounts with “Golden SAML” tokens leading to a decoy network.
Sensor Data Placement: Kernel-Mode
Observable Level: Core to Some Implementations of (Sub-)Technique
Scoring Rationale:
Detecting cross-tenant synchronization abuse requires monitoring kernel-level events and identifying specific behaviors that are core to the technique, such as the addition of unauthorized tenants or the manipulation of synchronization settings.
Link to Report:
Link to Report II.:
Additional Comments:
Possible elements:
MSG (Pseudocode):
T1526 - Cross-Tenant Synchronization
Implementations
Compromised Privileged Account
Establish Inbound Synchronization
Provision Malicious Accounts
Lateral Movement Across Tenants
Observables
Privileged Account Activity
Level 3: Core to Pre-Existing Tool or Inside Boundary
Scoring Rationale: While privileged account activity is essential for executing this technique, relying solely on monitoring general privileged account actions may result in a high number of false positives. Adversaries can often blend their malicious activities with legitimate administrative tasks, making it difficult to distinguish between benign and malicious behavior. Therefore, this observable is scored as Level 3, as it is core to pre-existing tools and functionalities within the environment.
Tenant Access Settings
Level 5: Core to Sub-Technique or Technique
Scoring Rationale: Changes to tenant access settings, specifically those related to cross-tenant synchronization, are fundamental to the execution of this technique. These modifications are necessary for establishing and maintaining unauthorized access, making them highly robust indicators of malicious activity. As such, this observable is scored as Level 5, as it is core to the sub-technique or technique itself.
Synchronization Activity
Level 4: Core to Some Implementations of (Sub-)Technique
Scoring Rationale: Monitoring synchronization activity can be indicative of cross-tenant synchronization abuse, but it is not always a definitive indicator. Adversaries may utilize different approaches or obfuscate their actions to avoid detection through synchronization logs. Therefore, this observable is scored as Level 4, as it is core to some implementations of the (sub-)technique but not universally applicable.
Lateral Movement
Level 2: Core to Adversary-Brought Tool or Outside Boundary
Scoring Rationale: Lateral movement across tenants is often dependent on the specific tools and techniques employed by the adversary, which can vary significantly. Additionally, distinguishing malicious lateral movement from legitimate cross-tenant interactions can be challenging. As such, this observable is scored as Level 2, as it is core to adversary-brought tools and activities that may occur outside the defined boundary of the technique.
Notes
* The abuse of cross-tenant synchronization is a sophisticated technique that can be difficult to detect.
* Defenders should focus on monitoring privileged account activity, tenant access settings, and synchronization activity to identify potential abuse.
* Deception opportunities can be created by planting misleading synchronization settings or creating decoy tenants to lure attackers.