![Building image](https://res.aon.com/image/fetch/ar_16:9,c_fill,f_auto,g_auto,h_184,w_327/https://assets.aon.com//-/media/images/photos/places/city-dallas-buildings-1288537096.jpg)
Support
Stroz Friedberg has observed currently active and persistent targeting of organizations across telecommunications, technology, manufacturing, and other related sectors by a financially motivated criminal group. This threat actor is known as Scattered Spider, UNC3944, 0ktapus, and other variations of these names due to different naming conventions used by security companies.
This threat actor group was first observed by security researchers in May 20221 and has established itself as using advanced social engineering tactics to gain initial access, conducting reconnaissance within victim organizations’ networks, and exfiltrating sensitive data from Cloud environments. In some instances, the group has been observed deploying ransomware with a focus on ESXi servers. These targeted campaigns have led to financial and reputational damage to impacted organizations across telecom, technology, manufacturing, logistics and outsourcing, and cryptocurrency industries.
This threat actor’s attacks are characterized by tactics, techniques, and procedures (TTPs) such as SIM swapping, social engineering, and quick lateral movement across a victim’s environment. The main TTPs observed are as follows:
Support
This threat actor has been observed deploying a variety of tactics, typically using existing technologies within a victim’s environment. Common tactics identified across Stroz Friedberg engagements attributed to this threat actor include the following TTPs during the initial access and reconnaissance phases of the attack.
This threat actor may attempt to gain access to a privileged account through social engineering of an organization’s password and Multi Factor Authentication (MFA) reset process. Tactics can include calling into the Help Desk.
Common aspects of phishing calls to Help Desks can include the following TTPs:
Immediately after initial access, this threat actor has been observed collecting information about the victim organization’s environment using the following search terms across backup locations, cloud storage (Azure Blob, AWS S3, etc), CyberArk, database backup locations, ESXi, internal code repositories, SAP, and other applications.
Search Terms Used by Threat Actors in SharePoint / File Repository:
This threat actor has demonstrated a significant level of knowledge and skillset when operating within an organizations Azure and AWS environments. They are persistent and able to pivot rapidly based on the organization’s response actions regardless of the cloud provider. Typically, the threat actor gains access to accounts with tenant-level credentials in the targeted organization’s cloud environment. Common attack processes include the following tactics:
This threat actor has been observed executing the following on-premise activities in a victim organization’s environment:
This threat actor has been observed using the following tools and techniques to gain and maintain persistent access to a victim organization’s environment:
In some instances, this threat actor has been observed deploying ransomware on ESXi servers after data exfiltration occurs or security teams attempt to evict the threat actor from the environment. This threat actor has loosely affiliated itself with the ALPHV/Blackcat ransomware group in some instances and has used the ransomware group’s negotiations and leak site infrastructure to post information about victim organizations.
This threat actor has been observed sending personalized and threatening messages over email, phone, and SMS to gain attention from victim organizations. In some instances, they have contacted media to add pressure and extract payment from companies. Techniques include:
Stroz Friedberg recommends organizations consider taking the following steps to help focus on prevention and detection:
1 Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover
Capability Overview
Cyber Resilience
Product / Service
Penetration Testing Services
Article
Mitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside
Article
Escalating Cyber Security Risks Mean Businesses Need to Build Resilience
About Cyber Solutions:
Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.
General Disclaimer
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Expert Views on Today's Risk Capital and Human Capital Issues
Expert Views on Today's Risk Capital and Human Capital Issues
Expert Views on Today's Risk Capital and Human Capital Issues
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Stay in the loop on today's most pressing cyber security matters.
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Explore Aon's latest environmental social and governance (ESG) insights.
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Explore our hand-picked insights for human resources professionals.
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
Article 8 mins
U.S. freight and commuter rail industries are facing excess liability and property issues for different reasons. These railroads are critical to infrastructure and vital to the economy, yet finding effective solutions remains complex.
Article 11 mins
As private companies prepare for an IPO, they face increased risks that require directors and key leaders to adopt essential risk management strategies to ensure a smooth transition.
Article 10 mins
As climate change intensifies the frequency and severity of extreme weather events, public entities and businesses need more flexible funding solutions. Parametric stands out as an adaptable resource capable of swiftly responding to potential disasters.