Scattered Spider Getting SaaS-y within the Cloud



Scattered Spider

LUCR-3 overlaps with teams equivalent to Scattered Spider, Oktapus, UNC3944, and STORM-0875 and is a financially motivated attacker that leverages the Identification Supplier (IDP) as preliminary entry into an surroundings with the objective of stealing Mental Property (IP) for extortion. LUCR-3 targets Fortune 2000 firms throughout numerous sectors, together with however not restricted to Software program, Retail, Hospitality, Manufacturing, and Telecoms.

Scattered Spider

LUCR-3 doesn’t rely closely on malware and even scripts; as a substitute, LUCR-3 expertly makes use of victims’ personal instruments, functions, and sources to realize their targets. At a excessive stage, Preliminary Entry is gained by way of compromising present identities within the IDP (Okta: Identification Cloud, Azure AD / Entra, Ping Identification: PingOne). LUCR-3 makes use of SaaS functions equivalent to doc portals, ticketing programs, and chat functions to find out how the sufferer group operates and easy methods to entry delicate data. Utilizing the info they gained from reconnaissance throughout the SaaS functions, they then perform their mission of knowledge theft. Data theft is often targeted on IP, Code Signing Certificates, and buyer information.

Attacker Attributes


LUCR-3 attribution is tough. Many people within the Cyber Intelligence neighborhood have even begun to trace the person personas individually. Additional complicated attribution, some LUCR-3 personas look like associates of ALPHV with entry to deploy BlackCat ransomware.
Very similar to LUCR-1 (GUI-Vil), LUCR-3 tooling, particularly in Cloud, SaaS, and CI/CD, largely makes use of internet browsers and a few GUI utilities equivalent to S3 Browser. Leveraging the native options of functions, identical to any worker would do, to hold out their objective.
LUCR-3 closely targets the IDPs for Preliminary Entry. Shopping for creds from frequent marketplaces and bypassing MFA through SIM swapping, social engineering, and push fatigue.
LUCR-3 does its homework on its preliminary entry victims, selecting identities that can have elevated privileges and even guaranteeing they supply from related geolocation as their sufferer identities to keep away from inconceivable journey (geo disparity) alerts.
LUCR-3 will make the most of the sufferer organizations software program deployment options, equivalent to SCCM, to deploy specified software program to focus on programs.


LUCR-3 is a financially motivated risk actor that makes use of information theft of delicate information (IP, Buyer information, Code Signing Certificates) to try extortion. Whereas extortion calls for do differ, they’re typically within the tens of hundreds of thousands of {dollars}. Some personas inside LUCR-3 will typically collaborate with ALPHV to hold out the extortion part of the assault.


LUCR-3 makes use of largely Home windows 10 programs working GUI utilities to hold out their mission within the cloud. Utilizing the native options of SaaS functions equivalent to search, LUCR-3 is ready to navigate by way of a company with out elevating any alarms. In AWS, the risk actor routinely leverages the S3 Browser (model 10.9.9) and the AWS administration console (through an internet browser). LUCR-3 makes use of AWS Cloudshell throughout the AWS administration console to hold out any exercise that requires direct interplay with the AWS API.


LUCR-3 typically targets giant (Fortune 2000) organizations which have Mental Property (IP) that’s useful sufficient that sufferer organizations are prone to pay an extortion payment. Software program firms are a standard goal as they goal to extort a payment associated to the theft of supply code in addition to code signing certificates. LUCR-3 will typically goal organizations that may be leveraged in a provide chain assault towards others. Identification Suppliers and their outsourced companies firms are continuously focused as a singular compromise of one in all these entities will enable for entry into a number of different organizations. In latest months, LUCR-3 has expanded its focusing on into sectors they have not beforehand targeted as a lot on, equivalent to hospitality, gaming, and retail.

Your CloudSec Knowledgeable


Find out how LUCR-3 (aka Scattered Spider) is compromising IDPs and increasing assaults towards laaS, SaaS and CI/CD pipelines.

Get a Cloud Menace Briefing

Attacker Lifecycle

AWS Attacker LifecycleAWS Attacker Lifecycle

Preliminary Recon

LUCR-3 does their homework when deciding on their goal sufferer identities. They guarantee they’re focusing on customers that can have the entry they should perform their mission. This consists of however will not be restricted to Identification Admins, Builders, Engineers, and the Safety group.

They’ve been identified to leverage credentials that had been obtainable in frequent deep internet marketplaces.

Preliminary Entry (IA)

LUCR-3’s preliminary entry into an surroundings is gained by way of compromised credentials. They aren’t performing noisy actions like password spraying to search out passwords. Once they join, they have already got a authentic password to make use of. The standard strategy for them is:

1. Establish credentials for the supposed sufferer id

Purchase credentials from frequent deepweb marketplacesSmishing victims to gather their credentialsSocial engineering assist desk personnel to realize entry to the credentials

2. Bypass Multi-factor Authentication (MFA)

SIM Swapping (when SMS OTP is enabled)Push Fatigue (when SMS OTP will not be enabled)Phishing assaults with redirects to authentic websites the place OTP codes are captured and replayedBuy or social engineer entry from an insider (final resort)

3. Modify MFA settings

Register a brand new deviceAdd various MFA choices

When LUCR-3 modifies MFA settings, they typically register their very own cell machine and add secondary MFA choices equivalent to emails. Indicators to observe for listed below are:

When a person registers a tool that’s in a special ecosystem than their earlier machine (Android to Apple for instance)
When a person registers a brand new machine that’s an older mannequin than their earlier machine
When a single cellphone (machine ID) is assigned to a number of identities
When an exterior electronic mail is added as a multi-factor choice

Recon (R)


As a way to perform their objective of knowledge theft, ransom, and extortion, LUCR-3 should perceive the place the essential information is and easy methods to get to it. They carry out these duties very like any worker would. Looking out by way of and viewing paperwork in numerous SaaS functions like SharePoint, OneDrive, information functions, ticketing options, and chat functions permits LUCR-3 to study an surroundings utilizing native functions with out setting off alarm bells. LUCR-3 makes use of search phrases focused at discovering credentials, studying concerning the software program deployment environments, code signing course of, and delicate information.


In AWS, LUCR-3 performs recon in a number of methods. They’ll merely navigate across the AWS Administration Console into companies like Billing, to grasp what kinds of companies are being leveraged, after which navigate every of these companies within the console. Moreover, LUCR-3 needs to know what packages are working on the compute programs (EC2 cases) in a company. Leveraging Techniques Supervisor (SSM), LUCR-3 will run the native AWS-GatherSoftwareInventory job towards all EC2 cases, returning the software program working on the EC2 cases. Lastly, LUCR-3 will leverage the GUI utility S3 Browser together with a long-lived entry key to view obtainable S3 buckets.

Privilege Escalation (PE)

LUCR-3 typically chooses preliminary victims who’ve the kind of entry needed to hold out their mission. They don’t all the time must make the most of privilege escalation strategies, however now we have noticed them accomplish that every so often in AWS environments.


LUCR-3 has utilized three (3) principal strategies for privilege escalation in AWS:

Coverage manipulation: LUCR-3 has been seen modifying the coverage of present roles assigned to EC2 cases ( ReplaceIamInstanceProfileAssociation ) in addition to creating new ones with a full open coverage.
UpdateLoginProfile: LUCR-3 will replace the login profile and, every so often, create one if it does not exist to assign a password to an id to allow them to leverage it for AWS Administration Console logons.
SecretsManager Harvesting: Many organizations retailer credentials in SecretsManger or Terraform Vault for programmatic entry from their cloud infrastructure. LUCR-3 will leverage AWS CloudShell to scrape all credentials which might be obtainable in SecretsManager and related options.

Set up Persistence/ Preserve Presence (EP)

LUCR-3, like most attackers, needs to make sure that they’ve a number of methods to enter an surroundings within the occasion that their preliminary compromised identities are found. In a contemporary cloud world, there are numerous methods to realize this objective, and LUCR-3 employs a myriad to keep up its presence.


After getting access to an id within the IDP (AzureAD, Okta, and many others.), LUCR-3 needs to make sure they’ll simply proceed to entry the id. So as to take action, they are going to typically carry out the next actions:

Reset/Register Issue: LUCR-3 will register their very own machine to ease their capacity for continued entry. As talked about beforehand, look ahead to ecosystem switches for customers in addition to single units which might be registered to a number of customers.
Alternate MFA: Many IDPs enable for alternate MFA choices. LUCR-3 will reap the benefits of these options to register exterior emails as an element. They’re good about selecting a reputation that aligns with the sufferer’s id.
Sturdy Authentication Kind: In environments the place the default setting is to not enable for SMS as an element, LUCR-3 will modify this setting if they’re able to. In AzureAD, you’ll be able to monitor for this by searching for the StrongAuthenticationMethod altering from a 6 (PhoneAppOTP) to a 7 (OneWaySMS)

To keep up persistence in AWS, LUCR-3 has been noticed performing the next:

CreateUser: LUCR-3 will try and create IAM Customers when obtainable. They select names that align with the sufferer id they’re utilizing for preliminary entry into the surroundings.
CreateAccessKey: LUCR-3 will try and create entry keys for newly created IAM Customers in addition to present IAM Customers that they’ll then use programmatically. Like GUI-Vil (LUCR-1), the entry keys which might be created are sometimes inputted into the S3 Browser to work together with S3 buckets.
CreateLoginProfile / UpdateLoginProfile: LUCR-3, when attempting to be extra stealthy or when they don’t have entry to create new IAM customers, will try and create or replace login profiles for present customers. Login profiles are what assign a password to an IAM Consumer and permit for console entry. This method additionally lets the attacker achieve the privileges of the sufferer’s id.
Credential Harvesting: As talked about beforehand, LUCR-3 finds nice worth in harvesting credentials from credential vaults equivalent to AWS SecretsManager and Terraform Vault. These typically retailer credentials not only for the sufferer organizations but additionally credentials which will enable entry to enterprise companions, expertise integrations, and even purchasers of the sufferer group.
Useful resource Creation: Lastly, LUCR-3 will create or take over present sources, equivalent to EC2 cases that may be leveraged for entry again into the surroundings in addition to a staging space for instruments and information theft as wanted.


LUCR-3 will use all of the functions obtainable to them to additional their objective. In ticketing programs, chat packages, doc shops, and information functions, they are going to typically carry out searches searching for credentials that may be leveraged throughout their assault.

Moreover, many of those functions enable the creation of entry tokens that can be utilized to work together with the SaaS functions API.


LUCR-3 may also generate entry tokens for interacting with the APIs of your code repositories, equivalent to GitHub and GitLab.

Protection Evasion (DE)

We have now noticed that LUCR-3 considerably focuses on protection evasion ways in numerous environments. That is clearly to keep away from detection so long as potential till they’re positive they’ve achieved their mission targets and are able to carry out ransom and extortion actions. They accomplish this by way of a number of means relying on the kind of surroundings they’re in.


LUCR-3 employs largely frequent protection evasion strategies in AWS, with a few distinctive flares.

Disable GuardDuty: LUCR-3 will carry out the standard deletion of GuardDuty detectors but additionally tries to make it tougher so as to add again to the org stage by deleting invites. That is completed by way of the next three instructions: DisassociateFromMasterAccount, DeleteInvitations, DeleteDetector
Cease Logging: LUCR-3 additionally makes an attempt to evade AWS detections by performing DeleteTrail and StopLogging actions.
Serial Console Entry: This can be giving LUCR-3 an excessive amount of credit score, however now we have noticed them EnableSerialConsoleAccess for AWS accounts they’ve compromised after which try to make use of EC2 Occasion Hook up with SendSerialConsoleSSHPublicKey which is able to try to determine a serial connection to a specified EC2 occasion. This may be leveraged to keep away from community monitoring, as serial connections are hardware-based.

LUCR-3 clearly understands that one of many extra frequent detections in place for IDPs is to watch and alert on inconceivable journey. To keep away from these inconceivable journey detections, LUCR-3 will make sure that they supply from the same geolocation as their sufferer id. This appears to be largely completed through using residential VPNs.

DE-M365/Google Workspace

A few of LUCR-3’s actions in an surroundings, equivalent to producing tokens and opening up assist desk tickets, trigger emails to be despatched to the victims’ mailboxes. LUCR-3, already sitting in these mailboxes, will delete the emails to keep away from detection. Whereas electronic mail deletion by itself is a really weak sign, searching for electronic mail deletions through the net model of Outlook with delicate phrases like OAuth, entry token, and MFA may deliver to mild greater constancy indicators to observe.

Full Mission (CM)

LUCR-3 has one objective: monetary achieve. They do that largely by way of extortion of delicate information that they’ve collected through the native instruments of the sufferer organizations’ SaaS and CI/CD functions. In AWS, that is completed by information theft in S3 and in database functions equivalent to Dynamo and RDS.

Whereas within the SaaS world, they full their mission by looking and downloading paperwork and internet pages through a conventional internet browser.

On the CI/CD aspect, LUCR-3 will use the clone, archive, and think about uncooked options of Github and Gitlab to view and obtain supply information.



Permiso purchasers are protected by the next detections:

Scattered Spider

Discovered this text fascinating? Comply with us on Twitter  and LinkedIn to learn extra unique content material we submit.


Supply hyperlink

What do you think?

Written by TechWithTrends

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings


Reddit unveils Advertisements Supervisor updates for improved group focusing on


Chromebooks have not made a dent in India, however that is likely to be about to vary