Cloud Kleptos: Lessons Learned Responding to Scattered Spider

OVERVIEW

Cloud-focused attacks are on the rise, moving far beyond the commonplace cryptomining campaigns or initial access gained by poor password policies and lack of MFA. Persistent threat actors have adapted to rising defensive best practices, even evading MFA by push fatigue attacks and SIM swapping.
LUCR-3 (Permiso’s name for the threat actor group also known as Scattered Spider), who notably compromised MGM and Caesars in late 2023, epitomizes this level of persistence in their methodical approach to targeting specific industry verticals and effectively compromising, escalating and exfiltrating the desired intellectual property from their victims.
Permiso’s P0 Labs team has tracked and responded to LUCR-3 for the last 1.5 years, noting their effective traversal of technology boundaries from IaaS to SaaS and even PaaS. Additionally noteworthy is their practice of infiltrating internal communications and SaaS-based knowledge sharing platforms immediately upon initial access to retrieve internal processes, playbooks and stakeholders required to carry out their mission.
This presentation will inform defenders about many of LUCR-3’s notable TTPs, with a specific technical focus on those TTPs targeting the SaaS and IaaS layers from both an offensive and defensive perspective. While Scattered Spiders’ TTPs range widely, their persistence and focus is anything but scattered.

My presentation will revolve around several key positions – Hiring Managers, Recruiters, HR, C-Suite – and how they need to be better aligned with employment gaps, job requirements, training, and provide a healthy environment where people are heard and valued. Additionally, I’ll expand on how certification vendors are hindering and not helping by introducing financial barriers. Lastly, I will acknowledge industry leaders, that are paving the way and increasing diversity of thought and tackling our current and future problems. In closing, if we continue to fail, as a profession, to bring in more diversity of thought, then our most sensitive global networks and personal data will continue to be at risk.

Presented By

ABIAN MORINA

Associate Threat Researcher, Permiso Security