Déjà Vu With Scattered Spider: Are Your SaaS Doors Still Unlocked? - Andi Ahmeti & Abian Morina

Hello everybody. Gur tag uh thanks for coming to my session. Uh today's talk is going to be about uh scatter spider. So this a deja vu with scatter spider. We've seen this group before and we're going to see if your s doors are still unlocked. Now we're going to talk also about Lucer 3. You might you guys might wonder who is Lucer 3. Now uh us at Permiso we call them Lucer 3. You probably know them better as scatter spider. Microsoft folks call them as um storm 0875 or mandian they call them UNCC3944. So we have various names for these threat actors and that's fine because not everybody has the same intel and we always do the engagements kind of

different. So when I talk about Lucer 3, you're going to know that we are referring to Scatter Spider. Here's how we are going to spend the best 30 minutes of your life. We're going to start with an introduction about me. We're going to just deep dive into who Lucer 3 is actually. Who are the personas behind these groups? We're going to just deep dive on the modern cloud attacks that they are using. We're going to explore new DPS and if we have time we're just going to do a a quick screenshot about hunting these guys with cloud grappler which is on our own open source tool. Quick introduction about me the most fun stuff. My name is Zonda.

I'm from Kosova. I'm a threat researcher at the US-based company called Permiso Security. And for the last 3 years, we've been dealing with these uh guys. Lucer 3, scatter the spiders, shiny hunters, you can name them. And uh it's been a real pleasure just uh seeing how they attack and how they evolve. During this time, I've also managed to develop and open source three uh frameworks. You can see the links down at the bottom. And most of them are uh defensive frameworks so you can to help the community and find the presence of these bad guys in your environments. This talk obviously or this resource was done with my fellow colleague Abian Marina. He is a fellow researcher at

Permiso as well but he couldn't make it because he has a master exam. So we wish good luck to him. Okay let's just talk who is Lucer 3. Now attribution here is really tough and the reason why is how loosely connected these guys are. They are spreaded everywhere. Now even big CTI teams like Manty and Microsoft Crossrike are actually starting to track them at the persona level just because again how loosely they are and attribution to this group or labeling this group at um uh is is is kind of tough. Now, why these guys like to take credits for others attack? Like if you take an example, shiny hunters versus scattered spider. If you go on the deep forum and ask them, "Oh,

guys, are you the same?" They will say, "Okay, yeah, yeah, we're on the same group." But are you out to believe the threat actors saying that they are on the same group? I would not. Now even though we might have some member overlaps between these two groups but it's just not that simple. So if you look on the left side uh I have listed some of the arrests that were made with people connected to this group to looker 3 so scatter spider and uh they were done last year some of them during this year but does that mean that an attack have stopped? probably we've seen pause on their attacks, but historically they're known to bounce back and they

did in 2025. So again, even arresting uh these uh attackers, it just shows how many members are and how decentralized uh they are. Now let's talk who are they. They're mostly loose teenagers, really good English speakers. I'm I'm going to show on later on slides why. and uh their main motivation remains money. But cloud also plays a big role. So unlike most threat actors when they do an attack they just go in the shadow they don't like to be public. Now these guys like to be loud and they just want to they want to be seen by their peers or by the security community and it's something which makes them uh makes them really stand out. Now again what sets

them apart is their approach. They usually start the initial access through the u doing identity takeover or social engineering impersonation to get access then they then they will move laterally in your internal tools just searching we're going to go down on the uh safely reconnaissance but they also move strategically through industries. Now how they do it is they choose a vertical of security and they go hard on that. They finish that part, they go into the next one. So they usually started with telecoms, they moved down to s large software tech firms, retail, airlines, and we're going to speak uh later on. But again, why does Scatter Spider get so much attention is because how loud

and aggressive they are. So they're not just after the money. They want to be seen and they want recognition. Next, let's just do a rec a recap of previous intrusions before we get into what uh their attack looks now. So on the right side, there's a flowchart of a previous engagement we had with our customer and that was roughly 2 years ago. If you look at it, you can see that there are more than five layers and uh this attack spread roughly for 72 hours. So speed is a typical uh thing for these guys. Now again they usually start with the uh IDP so identity based access from there they will do rapid reconnaissance on the SAS layer. So they will go into

your Slack in your your teams or Jira ticketing system. They don't care about the product names. They don't care what you use internally. Yet they will use that for their own uh leverage to get to their mission as soon as possible. Now their goal is to map who does what and they're just wanting to know more about the process communication between your team members. And let's say if they are targeting they want to get some the source code of your company they will likely target a dev identity. Once they do that they will use your SAS layer to get to know more about how things are going and uh who who are people involved. Again the mission uh of these

guys kind of depends on who the target is. Now, if I'm going after a large software firm, what I'm going to get money for? Probably the source code. Okay, let's go after that. If I'm going after the gaming industry, their main mission could be disruption of service. So, people cannot go into the casinos, cannot play them, and uh they're going to get the most money out of that using extortion. So, again, whatever your industry is or whatever your crown jewel jewelers are, they will come after that and grab that part. Okay, enough of the old stuff. Let's just see what's new. Even though the first part is not new now, it's become it has been something

on the first 6 months of 2025. But this was going after retail, insurance and airlines. Now when we are target uh when we are talking about uh targeting these industries it's not stealing data as much as it matters to as disruption of service. Of course credential theft has always been a component of their of their attack. But let's say if I'm going after retail I'm going to probably get more money out of extortion of disruption of service. they will just shut down their registers. So they cannot do the normal transaction as a retail company would and at the end of course they will do some uh data theft. Why not let's get let's get more uh money out of it. So

the disruption of service for a retail company will probably be more damaging uh and they're going to get most money uh money uh extorting that part. One thing that has been really interesting is that now they're going directly to the help desk social engineering. So that's their way of initial access. Of course, fishing is always prevalent. They will always continue to do that and most start actors. But on our recent engagement, calling the help desk directly to get initial access has their uh was their where to uh go to. Now another interesting fact of this is that now they are targeting your CFO first and that's really interesting. We haven't been able to uh to actually solve this

puzzle. Why are they going after your CFO? It can be probably because CFO is a really well-connected person or they are trying to do some I don't know fraud wire transfers but that's if that doesn't work out they will target your uh IT admins or whoever has the most privilege to carry out their mission and again I would expect them to go after that because they will need those privileges to to finish their mission. What is that mission on the most recent cases is to get on prem as fast as possible. Now that might sound funny because going on prem has always been a component of this what these guys will do. They will go out on prem and do some

ransomware deployment to get some money. But on the recent cases uh ransomware deployment has been a how to say an after the act thing. So they will complete their mission they will do disruption service and say okay why not let's do a ransomware deployment and get some more money uh for that. So as soon as they got through the IDP layer, they will check for any reference to how to get on prem. And how do you do that? Let's say you have a SharePoint file which you shared with all your employees or your developers or your security team. say okay in order to get on prem on your demo do domain controllers or any virtualization that you're doing

okay here you have um a shared port doc or I'm just going to message that through your slack powerpoint or Microsoft word document just highlighting how you can get on prem and most of the cases they also attach the the credentials over there so these guys know and say okay let's use your SAS your internal tools to know how to get on prem we're going to be talking later on slides about how They're doing the on-prem pivot, but this just is a high level thing and they're using the VPN, but most of the recent cases is using the Azure virtual desktop to actually uh go or access the on-rem site on the SAS as site. There used to be a really

good time where while doing threat hunting, as soon as you saw uh a logging or some activity using the Malvet VPN or residential IP proxy, say, "Okay, let's just roll up my sleeves. I know I'm going to find something juicy in here because these guys were using Malvette and uh but that was a while back ago. So, they're not doing that anymore. what they are doing it or on our recent engagements is that they are actually using these ESNs. If you are a sock analyst or in just general in security or threat hunting and you see the those ASN you will say okay this is not good and the reason why is that it's what everybody's on like

there are some really common seller ASN so everyone is using them so access anomaly is here is kind of hard so if you let's say you create an alert or signal only on this ASN you're going to be you're going to be swamped with with false positives. So now they are just switching to really common ASN to just trick the defenders. Again uh quick overview main access going through the IDP using the social engineering to help desk to get the initial access moving them to your SAS uh tools to just do reconnaissance and find how they can get on prem. Mostly it has happened via the Azure virtual desktop. VPN is also something which is known to to be used

into getting on prem. As soon as they fall on prem, they have ESCI, VSPhere, domain controller controllers just sitting there and the damage is really worse. So it's really easy for them even awaiting like EDR detection because what they are doing is they find your VM they just pause the VM they will mount the NTDS file into their own infrastructure and they will carve all of the files that they need to carry out their their mission. And the last thing which is really interesting is that during the recent engagements we saw that uh the activity in the data leak service. So snowflake and data bricks these guys love these environments too. And again we have a more detailed slide

uh which just shows how they have evolved their way of the way of uh attacking this data lake services. Okay, let's talk about the interesting thing which is how they're managing to trick the help desk guy into actually resetting their password. Now, something to consider is that they're not straight out calling the help desk and saying, "Hell, hello. I forgot my password. Can you help me out?" No, no, no. They're going to the Microsoft reset password page. they will type out your email or username of your CFO or their target from a detection stance. So this is the actual event name that uh which is going to be called is the reset flow activity progress and it says that user submitted

their user ID and obviously finding the email of or username of the target is pretty much easy. Next they will be prompted with a verification options and now it varies. In here we see that it says that you can text my mobile phone number. You can call my mobile phone number. You can do that through the authentication uh getting a notification prompt or like just putting the the code. What they're doing here is that they're not just trying to put random numbers. They're not trying to brute force the authenticator app or like just do MFA push bombing even though that has been uh a common thing on their previous intrusions. No, no, they are just

staying there and they will call the help desk guy. And uh another interesting thing sorry is that Microsoft for some reasons uh decides to display the last two digits of your number and let's say if an attackers has about 20 or 34 numbers potential phone numbers of your CFO or your IT admin and they would like to narrow down and find the actual phone number the Microsoft might get gave uh give them a nice hint of those two lost digit numbers. Of course there are other ways how to do this but that was just something interesting to mentions. So as soon as they do that they will call the help desk guy and say hello my name is Tom

CFO I forgot my password can you help me out reset it and sometimes it doesn't work so they will switch to the next IT help desk guy and the next so they are doing this they are being persistent and they will come prepared they will probably know your employee ID they will probably know your middle name your surname your per day. So they are prepared. They're doing their reconnaissance of their target before going in there. And after two or three calls, they must say, "Okay, the the it helped that helped us guide the weakest chain of a link." We say, "Okay, here you go, Tom. Uh we have resetted your password. Uh you probably don't

have access to your MFA because obviously you you couldn't reset your own password. And here you go. I will delete your old security info and I'm going to give you u the possibility of enrolling a new MFA device and the attacker does that and after it is it's a piece of cake for them from a detection stance over here what's interesting is that this is not odd people forget their passwords they lose their MFA devices and if you are just doing detection in a huge corporate like doing an alert for each time an admin is deleting a security info or is resetting a password could be noisy. Now what these attackers or what we've seen on recent engagements

is that the timeline between when the reset flow is called and when the these attackers call the IT help desk guy is less than 5 minutes. So, and that's odd for a normal user because if you're a normal user, you forgot your password. You will go ahead and try to remember it. If you don't, you will go to reset password page. You get prompted with the verification options. You will see if your number is listed there. If not, you will try your mobile your MFA device. So, it takes more than 5 minutes. But these guys are they know that they don't have the password. They know that they are not the legitimate user. So they are start

out calling the help desk uh team. So if you all those things just uh start these puzzles start to to fit then you you have probably uh something interesting. So you can find anable thing how they doing their reconnaissance in the SAS application. Now, now I think that SAS is one of the most underreresented areas for doing uh threat detections and I get why not all SAS applications are the same. Some of them log horribly. In some of them, it's really hard even exporting the logs to view them or on a recent cases like Salesforce where you have to actually pay 10% of what you pay Salesforce as a whole to even get the event monitoring feature. And all of

these things just adding up, it tells you that you can have a nice reasons why you're not looking at these locks. But as soon as you do, you're going to find a lot of interesting stuff from these threat actors. But even insider threat activity or if you're into the latest like DPRK, it workers uh uh stuff like just searching through the SAS uh logs is the way to go. But for this group again, what they like to do is go into your SAS application like SharePoint, Jira, Slack, and they will type out the exact search term that they need. And the good about good thing about search terms is that they show intention. Now, if I have a user who is searching for

AKIA in a SharePoint doc, I know that they are going after some long-term access key on AWS. or if they're going after a VVD, VDO, VDI, VSphere, they know that they are using for the virtualization for virtual uh virtualization tools. So again, I've displayed over here some of the most known search term that this group is using and again this is for their own purpose of uh getting onto prem as as soon as possible. One thing interesting here is that not all SAS applications or not all SAS yeah SAS apps have logging by default. Now SharePoint has their u uh the logging enabled by default. But let's say attackers now are also doing sort of

search terms in Outlook and that's not enabled by default. So you need to enable it by default. You can enable it on your whole organization or for certain mailbox if they're on your identity watch list. These are some of the u challenges you will face uh working with with SAS application locks. I mentioned Snowflake. Let's talk about it. Again, Snowflake is a data log service and it's not the first time that they are abusing it. But later year, like a year ago or two years ago, detection on on Snowflake was kind of boring. And I'll tell you why. What they were doing is just creating queries like select all from a certain database. They were copying into their external stage.

So it was pretty easy to let's say detect that. So it wasn't that they were doing some some uh complex queries. So you can find out but they are doing it now. So usually they go through the federated access. So they establish access via valid identity. uh and u for some companies who actually like enforce tight uh uh access controls they say okay they say to the developers in order to connect to the snowflake you need to go through the VPN and that's that's totally fine again what the attackers did what Luker 3 did is search for VPN docs and they know how to get in on the snowflake once they do that it's a fresh

environment for them they want to know who the uh administrator are, what kind of role does that identity have, what are the interesting tables for them to just carve out the files and they will do that on the reconnaissance phase. And going now to the authorization probing uh probing or to the most complex thing is that uh instead of now using the select all from this database, they're actually creating procedures. Now with procedures you can also use other languages like JavaScript and another good thing with procedure is that uh it helped them during their attack. So instead of just copy pasting large queries to get the data out of them they will just call it the procedure and

carry out their mission. And uh frankly speaking on recent engagements companies were not prepared with the detection they needed because of course now they were only creating detections around let's say the SQL query syntax or the snowflake query syntax and not the JavaScript. So it was easy to to bypass that part. Next companies are again really good at implementing access controls egress controls but they are not really good at monitoring them. Okay. Now the mission of the attacker on Snowflake is just get and export what they need from the database tables whatever they need and uh the way to go is just export them into an external stage. So they will uh export them to an SV bucket or an Azure

blob wherever they their own infrastructure is but now they are prompted with a error which says that you are not enabled to to create direct URL exports. Okay, that was enforced. what the attacker did say okay can I actually just set that to false so it doesn't work and eventually they did they had the permission to do that and once they do that they can also use the the other lossen stage uh uh stage governance which actually also disables them from copying the data to an external stage they just set them all to false and from now on they can just sit tight and enjoy the show by just exporting all the uh snowflakes take uh

data into their into their own environment. Onrem pivot again what's interesting about these guys is not just the way they attack but the speed of it. Now on recent engagements they have been going from the initial access into on-prem in in uh hours. So from getting like within hours of initial access they just went on prem and carry out their mission. So the initial access through an IDP layer just searching for knowledge which are stored on the uh sharepoint or one drive. Most of it was connecting to a VPN or Azure virtual uh desktop. they go into their to their on-prem uh activity and from there on they were target they were carrying out their mission and again it

depends who the target is. The missions might be uh credential harvesting rumer deployment on the most recent cases it was um disruption of service once they getting on prem. Again interesting thing or what we saw was that during the remediation phase for some of of these attacks when the remediation team was actually let's say deleting an account or a backdoor user or a setting that the attackers did on Antra ID in in cloud what the user were doing was that they done the same thing on AD on prem. So using the AD sync those uh changes were getting synced again on cloud. So, it was just something persistent popping off. Again, we don't know if that was

something intentional by them, but if they did, kudos to them because it was really interesting and funny just uh seeing that. Okay, I'm going to go quick on this one. AWS is not a new thing for them. This is more of a previous intrusions. What they like to do is carry out their mission through the management console. uh during last year there was it was an indicator of us saying like okay these guys might not be as advanced as we think they are in terms of using the CLI they might be using the management console because frankly speaking it's easier to use the UI interface or they have some kind of playbook saying like okay click this click this someone gave

it to them s browser is another clear indicator that they have used in recent attacks so browser is a is a like thick line you can download on vin windows where you can just uh interact with the uh SD service in AWS. Credential harvesting was always interesting thing disabling due to any forms of um uh logging on AWS S3 data theft and from the hunting perspective again doing some baselining on your activity with S3 browser usage. If you're if that certain user has never used S3 browser and he suddenly start doing that it's a nice thing to checking for any policy creation where they're using the asterics sign to give them root privileges secrets manager via cloud

shell is definitely something that they have been known doing it next uh tooling to help more than a year ago I've open sourced cloud grappler which is a open- source uh threat detection tool for cloud cloud environments. Uh it's um really easy to use. It has about 170 DPS from various fed uh actors, shiny hunters, team TNT, uh Lucer 3. Uh and currently it supports uh some of the most major uh cloud service provider AWS, Azure GCP, and Salesforce. And we keep it updated uh from time to time. And this is it's pretty easy to use. You just uh specify where you're keeping your logs whether that will will be on your S3 bucket on

your container on Azure and it will map out immediately your own uh and you'll find if there's any suspicious activity known to these uh threat actors. Last but not least uh cloud console cryptographer is another open source tool which I managed which I develop with my manager Daniel Bahan and we presented it last year in black at Asia. Now this tool what actually does is a visibility framework tool um on the AWS console. Each time the attacker or the your normal user logs in or clicks the EC2 instance any service it generates a whole uh bunch of API calls in the in the back. So let's say if your user just created another role assigned a policy to it created an

EC2 instance that will generate 300 400 500 of events or by using the this tool with actually it will condense them and it will map them to actual clicks. So it's the user logged into AWS console they visited the console home. So instead of having four or 500 of API calls on your on your seam, you can actually just see it eand them to let's say se five uh seven or 10 clicks. Okay, I think I'm on time. Yeah, thanks for your time. I hope this has been okay. Come on, man.

Thank you for the talk. Um maybe we have time for one very short question. Do we have something in the audience? Uh otherwise you're around, right? >> You're still at the con. >> Huh? >> You're still around? >> Yeah. Yeah, I'm still around. You can reach out to me on on any social media. We can just have a chat after the conference. Okay. Thank you. Yep. Then let's do it. Atletics. Thank you.