Security News > 2024 > June > Scattered Spider hackers switch focus to cloud apps for data theft
The Scattered Spider gang has started to steal data from software-as-a-service applications and establish persistence through creating new virtual machines.
While there are reports about Scattered Spider being an organized gang with specific members, the group is actually a loose knit collective of English-speaking individuals that work together to carry out breaches, steal data, and extort their targets.
Scattered Spider relies on social engineering techniques that often target corporate help desk agents in an attempt to gain initial access to a privileged account.
After gaining access to a victim's environment, Scattered Spider has been observed to to use Okta permissions associated with the compromised account to reach the victim company's cloud and SaaS applications.
The threat actor uses legitimate cloud syncing tools like Airbyte and Fivetran to move victim data to their cloud storage on reputable services like Google Cloud Platform and Amazon Web Services, the researchers say.
Mandiant observed Scattered Spider pivoting to various client SaaS applications for reconnaissance and datamining, e.g. vCenter, CyberArk, SalesForce, Azure, CrowdStrike, AWS, Workday, and GCP. For instance, the threat actor used the Microsoft Office Delve search and discovery tool for Microsoft Office 365 to identify active projects, discussions of interest, and confidential information.