Cloud Warfare: Grappling With Scattered Spider - Abian Morina and Andi Ahmeti

hello everyone thank you for joining

us I'm I'm Aban Marina this is on the amti this is our first time having a joint presentation and we're so excited to uh present in bidan So today we're going to talk about Cloud Warfare uh we're going to focus in Scatter spider which is a threat actor group and uh the way uh that we picked our title grappling with scatter spider is because uh there's a tool that on the a will present which is cloud Grappler and we thought of this title so before we start talking and diving into the scatter spider first uh let's have a look at the agenda to show uh what we're going to be talking today okay so first we're going to talk

about the introduction we're going to talk uh about who we are what we bring in expertise what we do for work and then after we set the stage for our expertise uh we're going to stop at understanding ler 3 who they are what they do and why we call them ler 3 uh then we'll dive into modern Cloud attacks we're going to talk about uh how a attack typically unfolds then we're going to stop more into the a uh is layer we're we're going to talk about awps then Oni will cover Cloud logs for Defender and hunting with Cloud Grappler and then we'll wrap the session by summarizing everything that we' have talked okay so first up introduction I'm

Aban Marina as I said I come from a small City uh in Kosovo called jakova uh I started uh cyber security at a young age initially through hacking video games and then it became a legitimate career path when I started studying uh initially I finished my Bachelor studies last year in computer science and engineering uh specializing in information security and Assurance uh I've been in priso for over a year now where we've been doing a detection threat hunting and uh presenting which is the best part which uh we're new at this so Mick okay hello everyone uh my name is andreti and apart from Aban I come from a bigger and better city which is

called fistina from Kosovo uh yeah I've obtained a bachelor degree in computer engineering in University of Pristina I've started my security career in permiso as an intern then proceeded as a full-time employer and now it has been over a year and was a great experience during this time apart from doing U great research hunting uh for threat actors I've also developed two open source Tool uh one is called the cloud Grappler uh which we're going to talk about it today and the other is uh Cloud console cartographer uh I'm a co-author with my manager Daniel banan yeah I'll we're back to you Abby okay thanks mck so in our current role we focus on investigating malicious

activity researching new detection techniques and developing uh to tools to streng strengthen Cloud security we work closely with our P Labs team which are over there uh to detect and uh respond to sophisticated threat acts ensuring that our C uh Cloud infrastructure of our clients remain secure uh priso acts as a Vigilant Defender uh in Cloud protecting both human and non-human identities uh and we leverage machine learning techniques and we have over a thousand detection rules and we try to trigger only High ility alerts uh which are from threat actor groups uh such as ler 3 okay so let's dive into the fun part and understanding ler 3 so uh ler 3 uh every organizations

tend to have their own name uh naming convention uh ler 3 is ours so lcer presents our threat actor groups and three means it's the third one graduated in that cluster you might uh know them better as scattered spider a group uh a name which is more uh known in Cloud security Community but uh there are all also other names that you might have heard them such as octopus or roasted octopus uh Mandan refers as them as on 3944 uh uh Microsoft initially called them storm 0875 before transitioning into the name octo Tempest but you might have heard them as other names as well okay so what is their mission uh Mission wise lucer 3 is all about financial gain

uh their Journey started with small Roblox gift card schemes that was where they got their first feet wet uh from there they transitioned into crypto mining phase but uh they didn't stop at that they quickly moved into extortion and when I'm talking about extortion I'm talking about millions of dollars in extortion request and uh what's particularly notable about lcer 3 is their persistence just three months after they were in uh they often strike back and if you paid that extortion fee uh uh they're going to assume that you're going to pay it again but if you didn't they're going to hurt you more this time so that you pay uh you probably pay to increase the

pressure uh victimology initially targeted telecoms uh leveraging Sim swapping tactics to gain control of phone numbers this was their Braden uh butter early on after telecoms they shifted into uh big software firms focusing stealing uh code signing CTS and source code uh which allow them to demand a high extortion fee they worked for this uh for uh a while until it became less profitable as opportunities in software dried up they expanded into other industry such as gaming and Healthcare uh focusing on each sector for a few months and then moving on to the next however recently uh their persistent and their targeting has been become less uh predictable because because they're hitting multiple uh targets at the same

time okay so consistent themes first of all uh we need to know that they do their homework uh they check who they're targeting uh they know who to Target uh they usually uh try to Target uh uh to check for targeted personas they usually go for three uh persons usually it's identity admins because these are the folks manag asure ad OCTA and basically controlling everything if they can comp compromise these accounts they've hit the jackbot uh second if their goal isn't uh stealing code signing shs but rather disrupting services such like uh such as in gaming Industries they go after CIS admins because these are the folks keeping everything running and hurting them can uh cause a lot of damage and

three there is us uh security folks and let's be honest we we uh often Whit list our activity and uh we we don't have a look at what we do and uh yeah we don't pay attention to our own Activity luga 3 loves this uh they want us to know that we've uh they have been in our environment but they are only want to know when they're ready to extort us and hit up with their mission uh they use u a lot of GUI tooling I'll talk about S3 browser later on uh what sets this group aside is also because they are willing up to pick up a phone if they run into a troubleshooting they instead of going

into troubleshooting themselves they hip up the phone and call a help desk to help them out and uh go through that and often U help desk also helps them a little even more than it should very little malware used um in the cloud and SAS environments there's little to none Environ uh malware used when they do engage in Prim it's often uh class CL and well-known techniques they're opportunistic about the tooling that they use they don't care if you're using notion or Confluence they're they use they'll use any tooling that you have against you and uh finally they W they like to watch and learn about how you're enriching data and how uh how you do

stuff to make their attack more effective okay let's move on to uh modern Cloud attacks uh so let's have a high level overview of how a modern Cloud attack uh typically unfolds when people talk about Cloud attacks today they often Focus only on IDP side or uh Asia side AWS side but that's just a one part of the picture the reality is that everything is interconnected starting from the IDP uh initial access often begins with IDP and once they're in the attackers focus in on uh learning about your en en they'll move into your SAS portals running quer is just like a regular user would uh what makes these attackers so effective is that uh they blend in they

will look just like a a normal admin doing their job they use SAS to gather information uh about uh what they need to carry out their mission when other targeting your is layer for uh uh credential harvesting or data theft or diving into your cicd pipeline to uh perform the source code or code sign inerts by the time they're executing their mission they're already gathered everything that they need to uh make the attack so for the IDP uh IDP side they're doing their research as I said they pick a Persona they pick a person where they know where they live at so they can emulate that access pattern so much so in very specific engagements uh

the attacker was coming from the same exact ASN as the victim user normally comes from and uh with access patterns being so familiar it's so hard from the IR stance to tell the good from the bad uh adding to that they're using residential proxies to get close enough to avoid trickling geolocation or feasibility rules this means they can log in from location that look uh familiar as a legitimate user would normally uh uh access from which uh complicates the detection when it comes to credentials they'll do whatever it takes to get them they'll buy they bribe their way into creds they also cerse uh to to get those credits and once they get the credits getting past

the MFA uh can be as simple as a Sim swap or a push fatigue uh often after they log in uh they know how hard it was to get there so often they downgrade uh the MFA they switch to SMS and uh also they add a new email for the password reset if in case they need to okay so for the Hunts uh things that we should be looking for are um how many people have more than one phone uh we can see like a few people that have more than one phone but it shouldn't be too many um how many people switch platforms so we've only seen these guys use Android devices uh never uh I mean uh

always use iPhone devices never Android so checking out for for switching platforms from Android to iPhone uh can be an indicator and going so on uh how often people uh downgrade phones so if we see someone going from an iPhone 15 to an iPhone 11 that's a bit unusual no one downgrades phone right so these such abnormal patterns can be uh should be looking for when we're not dealing with straightforward malware uh just a a small things that stands for from the normal Behavior Uh they'll also pick up the phone and just uh say for example uh can you push a button for me um also how many people uh share phones so these guys when they're

attacking uh they only have a few phones around them they're not uh using uh eim so they're using physical devices and one indicator can be uh multiple identities having the same phone for uh so we should look for that DT or uh phone ID into multiple users and downgrade Factor as I said uh downgrading the uh MFA to uh sms okay so the challenging into detecting these threats uh lies in the fact that there is no malware involved attackers use the same API and function as legitimate users making it hard to distinguish uh between normal and malicious activities once they gain initial access through your IDP their next move is to quickly learn as much as

they can about your environment U often starting by exploring uh knowledge sharing resources such as uh wikis or Confluence these Search terms can reveal the uh intent of the attackers uh for instance scatter spider uh has been seen with specific Search terms uh across multiple identities I don't know if you guys can see this uh properly but uh we can see there like a AIA for example uh which means they're uh for AWS credentials clearly indicating that uh they're hunting for Access keys and uh when they're search for for example for something like showen API key or Twi API key as I highlighted over there it's not the actual API key that they're looking for it's uh it's more about how you're

uh enriching data and uh they want the script that references to to that key another crucial detection opportunity is monitoring user Behavior patterns for example for a user that has never uh logged in into GitHub and getting information from it uh that new activity that user behavior is something that should stand out it might be an attacker trying to uh steal that code signing Sears uh for defense evasion in 365's attackers often cover their tracks uh by setting up uh automated email de deletion rules they use less common filters like a body contains to Target specific terms in body of an email ensuring any communication that could uh expose them is automatically deleted so yep now let's move more into highest

side where we're going to cover the AWS ttps so let's talk about S3 browser for a bit mentioned this in the first slides s browser is a GU tooling based uh tool to uh perform uh AWS usage uh it's easy to to use as it's uh uh GUI so uh particularly concerning is when S3 browser is used for IM functions so S3 browser can be used from both uh legitimate users and U attackers so if it's used for IM functions such as creating a user new uh updating login profiles or altering permissions these tasks are uh usually performed and managed uh through more secure and auditable uh channels such like uh AWS CLI or the Management console if these

sensitive actions uh are being carried out through EST browser it's a strong indication that something unusual or potentially malicious is happening uh attackers uh frequently use SSM to run scripts such as software inventory gathers on all ec2 instances rather than uh running these strip just once they set up a uh scheduled uh execute for every 30 minutes to maintain persistent uh presence and continuously Gathering data they target attackers focus on AWS Secrets manager they use cloud shell a method that is rarely seen in legitimate operations to extract these secrets by looping through secrets with the get uh secret value command they uh can pull all the information they need Cloud shell uh so Cloud shell interacting with

Secrets manager is a major red flag also uh file downloads uh via cloudshell attackers upload and download files using Cloud shell uh they replace instance profiles to Grant ec2 instances over permissively roles often using a simple star star policy uh instead of creating uh new user or access keys they quietly just add login profiles to existing accounts set passwords and take over those identities uh disabling guard duty is typically one of their first moves while many security uh teams have rules to detect this it's often uh more in interesting uh when attackers delete guard Duty invitation and dissociate from the Masters making it challenging to reenable guard duty but it's often creates more noise than uh than it's worth uh fun

fact stop logging uh attackers believe that uh will stop all the logging but uh in reality it just prevents the logs from being sent to uh uh to destination logs are still created uh meaning that if you monitor the API you can still capture uh these events uh also check out for ec2 inance anomalies uh they frequently create large expensive ec2 instances uh and they install Windows in them which is unusual and should stand out uh in monitoring okay Andy I got a bit tired you want to talk thank you Aban so my friend over here gave us a really nice uh clear overview and good insights of how these attackers uh do their their actions we

know the tactics then we know the pattern of their attacks uh what they prefer uh what type of service do they go after more but now the other challenge is actually um how to find the presence of these threat actors in your environment and I guess every security person of course who is in the uh Defender side um has a has a challenge in front of him so let's go down I know this is this may be ABC for some of of you guys but I think it's it's nice to to go from scratch uh what is the role of logs now what is a log a log is a is a fact that someone what someone did who

or when I did it twice who yeah so it which might lead up to an incident but not necessary at all all times and U um logs are visibility we know who did what when and where the next thing is in order for you to know all these three things that I mentioned I don't want to repeat myself again is uh to have them available now some Services um enable logging by default some of them don't uh you always have to to check it out because if an attackers comes by they they won't uh do that for you or they might but that that's just uh they're trying to make fun of you so yeah after

making them available um the next smart thing to do is store them to a secondary location and why is because and I'm going to talk later on slides uh some cloud service providers offer uh retention limit on um how many days do they store your your logs so you always want to have them stored in a different location like you have cheap uh options like a S3 bucket or a blob uh storage in uh Asia yeah after storing them you want to process them further aggregate correlate whatever and at the end of the day uh the most important part or the most important role of logs is to see if we can uh find some malicious activity on

it so basically we love logs and they shine shine our path towards finding the truth and the truth sometimes can be harsh but uh uh it's better to know yeah so since we are talking about only Cloud I'm going to focus on cloud logs and we're going to we're not going to talk how good cloud is they just removed our our server machines yeah that that's great now we're going to stop more about the cloud logs part and the cons of them now first of all they determined by the cloud provider so you get what they serve you don't have much saying in it so you have to uh make up your mind and see what what they are giving to you

there's a delay in log generation and that's uh happens from because of manyu facturers like internet speed uh the retention limit that I mentioned some uh like AWS overs a 19 days uh retention limit isure I guess 30 days so yeah let's again store them to a secondary location and at the end they are far more abstract now I don't have much experience at all in on pram logs or endpoint detection but we have some pretty good veterans that are experienced in the part and we we get a lot from them so basically you have some event names or apis that are being called let's say create user or create access key is that malicious not not

necessary but you are the one that you should give context to it and and do some baselining on on that user to see if it's really malicious so we view logs in ews uh through event history you have the option to get them through the cloud trail API now again there's API throttling so you have to take that in count also Cloud logs in nature you can view them through the activity log cool

now sorry yeah I'm not going to stop here Aban said the most of it but our team uh we've seen an increased large activity from uh these th threat actors in Cloud environments and uh as I said finding this the presence of these threat actors in our environment has posed a significant challenge not just for us for but for all security teams and even though uh we offered lots of uh briefings and blogs on how to uh help detect this these guys we wanted to take it to a step further and actually release an open source tool which does only one thing and and that's uh grappling evil in the cloud and yeah we have here Cloud Grappler which is a

open source in GitHub we released it since March 2024 this year and uh yeah we tend to keep it updated with our uh latest uh dtps so you might you might want to check it uh time after time uh what does cloud Grappler do Cloud Grappler has uh some key features the first one is threat actor quering so we have all the tdps that Aban just mentioned the most important ones or all of them yes so we have around 60 ttps and they are uh we tend to keep it as I said updated so uh the next thing is uh this tool also specializes in single event detection so for now for now we have

only ws and Asia which Cloud Grappler supports and an example here we have in AWS the get file down download URLs which as Aban mentioned uh is not commonly used especially if it's um tied together with secret manager so yeah and the other one is new in boox rule for example where the attackers are trying to um just clear their tracks after after doing so and the last one but not least is integration with Cloud grab so just as a reminder Cloud grab and Cloud Grappler are uh different tools Cloud grab is uh uh maintained by C security and we want to give a huge shout out to Chris D for his support now what does

cloud grab do do is essentially grabs for cloud storage it has uh you can search by Rex and what our tool is doing is just a uh wrapping this tool Cloud grap with our ttps and is cloud Grappler so yeah but how how Cloud Grappler Works uh how do you configure it um we tend to keep it simple so you don't need much experience in Cloud at least just uh basic knowledge the first one is the scope selector uh so you have till now we only support ews and aser so uh here you are in the data source. Json file you are just defining the scope of your scanning in your environment uh you'll have to define the uh bucket name and

the prefix you can also choose to uh not Define your prefix like you want to scan the entire bucket and that's okay but my recommendation is that if you are storing a huge amount of data in that bucket like let's say terabytes or or near that uh it would be better to add the prics also because it would take time for the tool to complete the scan and also just as a reminder this uh uh tool also creates Ingress charges while you are trying to uh get the data from the S3 bucket and also on the other hand we have Azure where you'll have to specify the account name and and the uh container but just so you know you can

add as many as many buckets you want to scan and also same applies for the Azure part and yeah the other thing is you have the query selector or the query dojon file again this is we have uh these queries are predefined by us but you are free to to add more uh you just need to follow the pattern of the other queries and just make sure to get the right uh query field and also the source which can be AWS aure but if you're really interested if certain ASN IP user agent user wherever you think is a is a indicator of compromise and you want to scan it in both of your environments you can just

add the star uh sign on this uh Source uh field and that would scan in uh that would scan for that specific where in both of your both of your environments and the next one is we thought that someone who's who's doing threat hunting or uh just defensive per in defensive purposes something uh you have the report generator what this does is just outputs the findings in a Json format so as you can see the uh folder is structure um in the type of uh CSP like either ews or asure the time of the uh when the Tool was uh started running the location and at the end which query was was triggered I don't know if we have time

for a quick demo but uh I have something over here good

[Music]

canit okay I don't know how uh well you can see it it's a little the quality is bad but yeah what I'm doing here is just adding the scope of the scanning like I'm add the bucket the prefix we want to uh scan and the next thing that uh we want to do is just hop over on the terminal and hit uh minus minus help function to see what what feature this tool is offering so yeah you can add a file of your own desire like you don't want to use rtps that's fine uh I wouldn't recommend so but yeah uh let's go and just hit the uh call the main.py function uh file and the next thing what

is going to happen after I hit enter is that the tool is going to check if there's

been uh I'm not sure we can uh zoom in more I'll I'll I'll attach the video demo on the slides so you can check it yeah yeah my bad so the tool is checking for if there's been any updates on the repository again ttps and it's going to ask you if you want to get to clone the latest uh updates yep and after the ask Art we're just displaying that we were checking for hits in the specific bucket in specific profit and for these queries because there are some other queries that are only Asia related and we can see we found one hit for uh the famous get file download URLs and as you can see the star sign and secet it

tells you that it also supports Rex so you can be creative on on your Rex over here and yeah we're checking for hits in the other bucket and we didn't find any just going to skip this yeah the next thing is that we adding the uh permiso Intel flag and also you can filter out by date like let's say you don't want to scan your entire bucket for the last two years you can do that just for uh like two days a week which one you prefer that depends on you yep so this is doing the same thing and you can see that there are some um Intel that we are displaying like which uh

quer is running for which source like ews or Asia which threat actor is TI to what's the severity so you kind of know like is it high is it low like do I need to check this and a short description of uh what this uh what this query might do to you if if an attacker is is misusing it and the next next thing I guess is just U uh doing a tree to the reports folder just so we can see that uh uh this works and yeah it output it it said like yeah you have the AWS the tool when the Tool uh when the scanning was done they bucket the prefix and at the end

you have the Json format and just so you know the Json format is same as a AWS log or RoR log like it's it's not appending some uh different thing but yeah just just you have that specific uh object on on the logs thank you

I'm prop yeah that's ejection

okay um uh thank you for waiting uh also you can also reach us out after the presentation to uh Oni can give a full demo of the Tool uh live so let's summarize uh and get back to Identity so their mission is uh Focus to uh cloud uh so they want to get inter your Cloud SAS and cicd environments to get access they usually get that access through impersonation when they once they can uh impersonate the legitimate users uh they can move around your organizations with ease often going unnoticed for extended periods uh so how do they do this first off is password spraying a technique uh which is uh well known where attackers try a small set of uh common passwords

across many accounts this sometimes is effective they also go in easy way just purchase credentials without trying to break their heads into creds they just buy them and they have access to your account uh they also use push fatigue which is a technique where they flood uh the users with uh messages and try to confuse them and make them get frustrated to push that button and also uh Sim swapping which is uh by taking control of their users phone number number and attacker can intercept all SMS messages and uh bypass those MFA codes we can see here also some blogs uh that we wrote about impr personation and you can't see it really well but it's

how an a attack chain uh uh really goes on yep another summary for me so fa actors continue to Target uh Cloud environments for various purposes uh always make sure to configure the necessary Cloud logging options for retention as I said forwarding querying and at the end uh if you want uh use cloud Grappler an open source Tool uh detection framework to find potential presence of uh bad guys in your environment and with that uh we want to thank you for your time I hope our talk was uh good for you and you find it helpful and if you want

if you want to reach out to us you have our LinkedIn and Twitter or also we are here and if you want to ask a question you guys have any questions thanks hung it up yeah [Music] thank you guys it was a very nice presentation I really like the tools um it caught my attention in one configuration file of the cloudwatch logs that you were like using uh cloud trail logs in one region and the S3 bucket was in another region and I was wondering uh why that decision uh on the configuration file right yes uh yeah to be honest that bucket didn't exist it was just uh for demo purposes but but uh yeah nice nice

catch thank you yeah no worries any other question uh thanks for the presentation just a quick question so uh if you if you are a very big organization and you have a lot of logs across all sorts of cloud providers I'm assuming that the logs are going to be like very very big so imagine you have a large bucket of one tab of logs how fast is uh this project going to be able to go through that is there any parallel processing in there or how does it work yeah great question my simple and honest question uh answer is don't use it it's more intended for like uh individuals or small companies because uh uh they generally produce less less

data but um if you tend to have like terabytes of data that are coming for a day I think they are as you as you know lots of CMS or or other Enterprise tools that uh are very good at at that but yeah if let's say you're looking for a specifical hour let's say the start and and time that tool would be fine but if you give it one terabit of data like yeah I never triy that thank you second question if I may uh okay very quickly uh are you able to pass a third party or external indicators of compromise file so so it doesn't use only the data set uh provided by per by default but I'd have

my own custom one and then I'd be able to attach to to the script and just be able to par through the logs uh for now uh since we are pretty much dependent on on cloud grab so we use cloud grab as a sub process and uh we know that cloud grab uh for now offers only AWS log gcp and also Asia but as I said Chris is an awesome guy so if you want to par other um like you said other logs uh you are more welcome to to add a PR to that so that would be great and let me know I I would integrate it into Cloud Grappler too thank you all right thank you so much for the

questions if you have any other questions you can catch up with Andy and aban