A persistent intrusion campaign has set its eyes on telecommunications and business process outsourcing (BPO) companies at lease since June 2022.
“The end objective of this campaign appears to be to gain access to mobile carrier networks and, as evidenced in two investigations, perform SIM swapping activity,” CrowdStrike researcher Tim Parisi said in an analysis published last week.
The financially motivated attacks have been attributed by the cybersecurity company to an actor tracked as Scattered Spider.
Initial access to the target environment is said to be undertaken through a variety of methods ranging from social engineering using phone calls and messages sent via Telegram to impersonate IT personnel.
This technique is leveraged to direct victims to a credential harvesting site or trick them into installing commercial remote monitoring and management (RMM) tools like Zoho Assist and Getscreen.me.
Should the target accounts be secured by two-factor authentication (2FA), the threat actor either convinced the victim into sharing the one-time password or employed a technique called prompt bombing, which was put to use in the recent breaches of Cisco and Uber.
In an alternative infection chain observed by CrowdStrike, a user’s stolen credentials previously obtained through unknown means were used by the adversary to authenticate to the organization’s Azure tenant.
Another instance involved the exploitation of a now-patched critical remote code execution bug in ForgeRock OpenAM access management solution (CVE-2021-35464) that came under active exploitation last year.
Many of the attacks further entailed gaining access to the compromised entity’s multi-factor authentication (MFA) console to enroll their own devices and assigning them to the users whose credentials had been previously captured.
This technique allowed Scattered Spider to establish a deeper level of persistence through legitimate remote access tools such as AnyDesk, LogMeIn, and ConnectWise Control (formerly ScreenConnect) to avoid raising red flags.
Initial access and persistence steps are followed by reconnaissance of Windows, Linux, Google Workspace, Azure Active Directory, Microsoft 365, and AWS environments as well as conducting lateral movement, while also downloading additional tools to exfiltrate VPN and MFA enrollment data in select cases.
“These campaigns are extremely persistent and brazen,” Parisi noted. “Once the adversary is contained or operations are disrupted, they immediately move to target other organizations within the telecom and BPO sectors.”
