IOC's to detect this threat actor.
SCATTERED SPIDER is a threat actor group known for financially motivated attacks targeting mobile carrier networks/telecommunications industry, BPO and other industries. The group has been observed using a variety of methods to gain initial access to target environments, including social engineering techniques such as phone calls and Telegram messages impersonating IT personnel. These tactics are used to direct victims to credential harvesting sites or trick them into installing commercial remote monitoring and management tools. In instances where the target accounts are secured by two-factor authentication, the group has been known to convince victims to share one-time passwords or employ the technique of MFA exhaustion.
In other cases, the group has used stolen credentials to authenticate to the organization’s Azure tenant or exploited a critical vulnerability in ForgeRock OpenAM access management solution. Once initial access has been gained, Scattered Spider has been observed conducting reconnaissance of various environments, including Windows, Linux, Google Workspace, Azure Active Directory, Microsoft 365, and AWS, as well as conducting lateral movement and downloading additional tools to exfiltrate VPN and MFA enrollment data in select cases. The group has also been known to establish persistence through legitimate remote access tools such as AnyDesk, LogMeIn, and ConnectWise Control.
The associated MITRE ATT&CK IDS of the mentioned threat actor groups are as follows:
T1053 – Scheduled Task/Job,
T1056 – Input Capture,
T1059 – Command and Scripting Interpreter, T1106 – Native API,
T1115 – Clipboard Data,
T1133 – External Remote Services,
T1140 – Deobfuscate/Decode Files or Information, T1176 – Browser Extensions,
T1190 – Exploit Public-Facing Application, T1195.002 – Compromise Software Supply Chain, T1496 – Resource Hijacking,
T1564 – Hide Artifacts
SCATTERED SPIDER – KNOWN IOCs
Keeping security controls up to date with known IOCs, Malicious hosts, and current threat intel on Threat Actor groups targeting the telecommunication industry will greatly reduce risk of intrusion by these groups.
“Indicator type”,”Indicator”,”Description”
• “IPv4″,”45.132.227.213″,”CC=US ASN=AS206092 Ipxo Limited”
• “IPv4″,”144.76.136.153″,”CC=DE ASN=AS24940 Hetzner Online GmbH”
• “IPv4″,”119.93.5.239″,”CC=PH ASN=AS9299 Philippine Long-Distance Telephone Company”
• “IPv4″,”146.70.103.228″,”CC=NO ASN=AS9009 M247 Europe SRL”
• “IPv4″,”159.223.213.174″,”CC=NL ASN=AS14061 DIGITALOCEAN-ASN”
• “IPv4″,”169.150.203.51″,”CC=US ASN=AS212238 Datacamp Limited”
• “IPv4″,”185.195.19.206″,”CC=RO ASN=AS9009 M247 Europe SRL”
• “IPv4″,”198.54.133.45″,”CC=US ASN=AS11878 TZULO”
• “IPv4″,”198.54.133.52″,”CC=US ASN=AS11878 TZULO”
• “IPv4″,”217.138.198.196″,”CC=US ASN=AS9009 M247 Europe SRL”
• “IPv4″,”217.138.222.94″,”CC=IE ASN=AS16247 M247 Ltd”
• “IPv4″,”45.134.140.177″,”CC=US ASN=AS212238 Datacamp Limited”
• “IPv4″,”45.86.200.81″,”CC=NL ASN=AS206092 Ipxo Limited”
• “IPv4″,”45.91.21.61″,”CC=SE ASN=AS9009 M247 Europe SRL”
• “IPv4″,”89.46.114.66″,”CC=US ASN=AS9009 M247 Europe SRL”
• “CIDR”,”18.206.107.24/29″,””
• “FileHash-MD5″,”1e5ad5c2ffffac9d3ab7d179566a7844″,”MD5 of 4188736108d2b73b57f63c0b327fb5119f82e94ff2d6cd51e9ad92093023ec93”
• “FileHash-MD5″,”56fd7145224989b92494a32e8fc6f6b6″,”MD5 of 982dda5eec52dd54ff6b0b04fd9ba8f4c566534b78f6a46dada624af0316044e”
• “FileHash-MD5″,”6639433341fd787762826b2f5a9cb202″,”MD5 of
acadf15ec363fe3cc373091cbe879e64f935139363a8e8df18fd9e59317cc918”
• “FileHash-MD5″,”828699b4133acb69d34216dcd0a8376e”,”MD5 of 443dc750c35afc136bfea6db9b5ccbdb6adb63d3585533c0cf55271eddf29f58″
• “FileHash-SHA1″,”0272b018518fef86767b01a73213716708acbb80″,”SHA1 of
acadf15ec363fe3cc373091cbe879e64f935139363a8e8df18fd9e59317cc918”
• “FileHash-SHA1″,”10b9da621a7f38a02fea26256db60364d600df85″,”SHA1 of 443dc750c35afc136bfea6db9b5ccbdb6adb63d3585533c0cf55271eddf29f58”
• “FileHash-SHA1″,”d8cb0d5bbeb20e08df8d2e75d7f4e326961f1bf5″,”SHA1 of 982dda5eec52dd54ff6b0b04fd9ba8f4c566534b78f6a46dada624af0316044e”
• “FileHash-SHA1″,”ec37d483c3c880fadc8d048c05777a91654e41d3″,”SHA1 of 4188736108d2b73b57f63c0b327fb5119f82e94ff2d6cd51e9ad92093023ec93”
• “FileHash- SHA256″,”3ea2d190879c8933363b222c686009b81ba8af9eb6ae3696d2f420e187467f0 8″,””
• “FileHash- SHA256″,”4188736108d2b73b57f63c0b327fb5119f82e94ff2d6cd51e9ad92093023ec93”, “”
• “FileHash- SHA256″,”443dc750c35afc136bfea6db9b5ccbdb6adb63d3585533c0cf55271eddf29f58”, “”
• “FileHash- SHA256″,”53b7d5769d87ce6946efcba00805ddce65714a0d8045aeee532db4542c958b9 f”,””
• “FileHash- SHA256″,”982dda5eec52dd54ff6b0b04fd9ba8f4c566534b78f6a46dada624af0316044e”, “”
• “FileHash- SHA256″,”acadf15ec363fe3cc373091cbe879e64f935139363a8e8df18fd9e59317cc918”
• “FileHash- SHA256″,”cce5e2ccb9836e780c6aa075ef8c0aeb8fec61f21bbef9e01bdee025d2892005”
• “IPv4″,”100.35.70.106″,”CC=US ASN=AS701 UUNET”
• “IPv4″,”136.144.19.51″,”CC=US ASN=AS206092 Ipxo Limited”
• “IPv4″,”136.144.43.81″,”CC=US ASN=AS396356 LATITUDE-SH”
• “IPv4″,”142.93.229.86″,”CC=NL ASN=AS14061 DIGITALOCEAN-ASN”
• “IPv4″,”143.244.214.243″,”CC=US ASN=AS14061 DIGITALOCEAN-ASN”
• “IPv4″,”146.70.107.71″,”CC=DE ASN=AS9009 M247 Europe SRL”
• “IPv4″,”146.70.112.126″,”CC=CA ASN=AS9009 M247 Europe SRL”
• “IPv4″,”146.70.127.42″,”CC=US ASN=AS9009 M247 Europe SRL”
• “IPv4″,”146.70.45.166″,”CC=US ASN=AS9009 M247 Europe SRL”
• “IPv4″,”146.70.45.182″,”CC=US ASN=AS9009 M247 Europe SRL”
• “IPv4″,”152.89.196.111″,”CC=RU ASN=AS57523 Chang Way Technologies Co. Limited”
• “IPv4″,”162.118.200.173″,”CC=US”
• “IPv4″,”172.98.33.195″,”CC=US ASN=AS396356 LATITUDE-SH”
• “IPv4″,”173.239.204.129″,”CC=US ASN=AS32181 ASN-GIGENET”
• “IPv4″,”173.239.204.130″,”CC=US ASN=AS32181 ASN-GIGENET”
• “IPv4″,”173.239.204.131″,”CC=US ASN=AS32181 ASN-GIGENET”
• “IPv4″,”173.239.204.132″,”CC=US ASN=AS32181 ASN-GIGENET”
• “IPv4″,”173.239.204.133″,”CC=US ASN=AS32181 ASN-GIGENET”
• “IPv4″,”173.239.204.134″,”CC=US ASN=AS32181 ASN-GIGENET”
• “IPv4″,”180.190.113.87″,”CC=PH ASN=AS132199 Globe Telecom Inc.”
• “IPv4″,”185.120.144.101″,”CC=RO ASN=AS9009 M247 Europe SRL”
• “IPv4″,”185.123.143.197″,”CC=RO ASN=AS9009 M247 Europe SRL”
• “IPv4″,”185.123.143.201″,”CC=RO ASN=AS9009 M247 Europe SRL”
• “IPv4″,”185.123.143.205″,”CC=RO ASN=AS9009 M247 Europe SRL”
• “IPv4″,”185.123.143.217″,”CC=RO ASN=AS9009 M247 Europe SRL”
• “IPv4″,”185.156.46.141″,”CC=US ASN=AS212238 Datacamp Limited”
• “IPv4″,”185.163.109.66″,”CC=RO ASN=AS9009 M247 Europe SRL”
• “IPv4″,”185.181.102.18″,”CC=RO ASN=AS9009 M247 Europe SRL”
• “IPv4″,”185.195.19.207″,”CC=RO ASN=AS9009 M247 Europe SRL”
• “IPv4″,”185.202.220.239″,”CC=US ASN=AS141039 Packethub s.a.”
• “IPv4″,”185.202.220.65″,”CC=US ASN=AS141039 Packethub s.a.”
• “IPv4″,”185.240.244.3″,”CC=US ASN=AS35913 DEDIPATH-LLC”
• “IPv4″,”185.247.70.229″,”CC=US ASN=AS9009 M247 Europe SRL”
• “IPv4″,”185.45.15.217″,”CC=RO ASN=AS9009 M247 Europe SRL”
• “IPv4″,”185.56.80.28″,”CC=SC ASN=AS43350 NForce Entertainment B.V.”
• “IPv4″,”188.166.101.65″,”CC=NL ASN=AS14061 DIGITALOCEAN-ASN”
• “IPv4″,”188.166.117.31″,”CC=NL ASN=AS14061 DIGITALOCEAN-ASN”
• “IPv4″,”188.214.129.7″,”CC=LT ASN=AS16125 UAB Cherry Servers”
• “IPv4″,”192.166.244.248″,”CC=HK ASN=AS147049 PacketHub S.A.”
• “IPv4″,”193.27.13.184″,”CC=US ASN=AS9009 M247 Europe SRL”
• “IPv4″,”193.37.255.114″,”CC=SK ASN=AS9009 M247 Europe SRL”
• “IPv4″,”194.37.96.188″,”CC=GB ASN=AS9009 M247 Europe SRL”
• “IPv4″,”195.206.105.118″,”CC=CH ASN=AS9009 M247 Europe SRL”
• “IPv4″,”198.44.136.180″,”CC=US ASN=AS11878 TZULO”
• “IPv4″,”23.106.248.251″,”CC=SG ASN=AS59253 Leaseweb Asia Pacific pte. ltd.”
• “IPv4″,”31.222.238.70″,”CC=NL ASN=AS43624 Pq Hosting S.r.l.”
• “IPv4″,”37.19.200.142″,”CC=US ASN=AS212238 Datacamp Limited”
• “IPv4″,”37.19.200.151″,”CC=US ASN=AS212238 Datacamp Limited”
• “IPv4″,”37.19.200.155″,”CC=US ASN=AS212238 Datacamp Limited”
• “IPv4″,”45.132.227.211″,”CC=US ASN=AS206092 Ipxo Limited”
• “IPv4″,”45.134.140.171″,”CC=US ASN=AS212238 Datacamp Limited”
• “IPv4″,”5.182.37.59″,”CC=RO ASN=AS44477 Stark Industries Solutions Ltd”
• “IPv4″,”51.210.161.12″,”CC=FR ASN=AS16276 OVH SAS”
• “IPv4″,”51.89.138.221″,”CC=GB ASN=AS16276 OVH SAS”
• “IPv4″,”62.182.98.170″,”CC=US ASN=AS62240 Clouvider Limited”
• “IPv4″,”64.190.113.28″,”CC=US ASN=AS399629 BLNWX”
• “IPv4″,”67.43.235.122″,”CC=CA ASN=AS36666 GTCOMM”
• “IPv4″,”68.235.43.20″,”CC=US ASN=AS11878 TZULO”
• “IPv4″,”68.235.43.21″,”CC=US ASN=AS11878 TZULO”
• “IPv4″,”82.180.146.31″,”CC=BE ASN=AS57172 Global Layer B.V.”
• “IPv4″,”89.46.114.164″,”CC=US ASN=AS9009 M247 Europe SRL”
• “IPv4″,”91.242.237.100″,”CC=US ASN=AS62240 Clouvider Limited”
• “IPv4″,”93.115.7.238″,”CC=RO ASN=AS9009 M247 Europe SRL”
• “IPv4″,”98.100.141.70″,”CC=US ASN=AS10796 TWC-10796-MIDWEST”
• “IPv6″,”2a01:4f8:200:1097::2″,”CC=DE ASN=AS24940 Hetzner Online GmbH”
• “IPv4″,”45.132.227.211″,”CC=US ASN=AS206092 Ipxo Limited”