A targeted cyber intrusion campaign has been actively engaging telecommunications and business process outsourcing (BPO) companies since at least June 2022. This ongoing assault aims to infiltrate mobile carrier networks and is characterized by SIM swapping techniques, as highlighted in recent investigations by CrowdStrike. Researcher Tim Parisi detailed these findings in a report released last week, noting the primary goal of these attacks is to seize control over mobile networks.
The identified threat actor behind these financially motivated attacks operates under the name Scattered Spider. Initial compromise into the target environment is reportedly achieved through various tactics, including social engineering techniques. The adversaries employ phone calls and Telegram messages that impersonate IT officials, thereby directing victims to credential harvesting sites or tricking them into installing remote monitoring tools like Zoho Assist and Getscreen.me.
In scenarios where victim accounts are secured with two-factor authentication (2FA), attackers manipulate victims into divulging one-time passwords or use a method known as prompt bombing. This approach has been associated with significant breaches, including those faced by Cisco and Uber. These tactics highlight the sophistication of the attacks and the aggressiveness with which the attackers pursue their objectives.
Additionally, CrowdStrike observed an alternative infection vector where stolen credentials, acquired through unspecified methods, were used by the adversaries to gain access to an organization’s Azure environment. Furthermore, attackers exploited a critical remote code execution vulnerability in the ForgeRock OpenAM access management solution, which had been actively exploited last year but has since been patched.
A notable aspect of these attacks involves the adversaries accessing the compromised organization’s multi-factor authentication (MFA) console to enroll their devices, giving them a stealthier and more persistent presence. By utilizing legitimate remote access tools such as AnyDesk, LogMeIn, and ConnectWise Control, Scattered Spider can navigate the victim’s environment without immediate detection.
Once they gain initial access, the attackers carry out extensive reconnaissance across various platforms, including Windows, Linux, Google Workspace, Azure Active Directory, Microsoft 365, and AWS. In some instances, they also download additional resources to facilitate the exfiltration of sensitive VPN and MFA data. According to Parisi, “These campaigns are extremely persistent and brazen,” emphasizing the urgency for organizations within the telecom and BPO sectors to remain vigilant against such threats.
