With cloud-based identity providers now widely serving as a primary authentication system for many organisations, threat actors are seeing great return on investment by devising new initial access techniques that leverage such services. An excellent example of this has been seen recently in a cluster of activity designated by CrowdStrike as Scattered Spider.
Scattered Spider is a financially motivated criminal entity with a tendency toward big-game hunting and social engineering. It has attracted much attention after having been attributed to multiple very public incidents, including MGM Resorts in September 2023, which was not long after their affiliation with the ALPHV/BlackCat ransomware-as-a-service program became known.
The techniques they rely upon for initial access include a variety of MFA bypass methods, such as SIM swapping and Push Notification Fatigue. Their campaigns are typically preceded by extensive target research, using both open and closed source data to construct an in-depth understanding of target individuals. Phishing, Vishing, and Smishing are among the techniques used to socially engineer their targets into supplying their login credentials, completing/bypassing MFA challenges, and resetting credentials. Access may also be facilitated with purchased credentials, cookies, and browser fingerprints – such as those sold on the now defunct Genesis Market.
Once access to an account has been obtained, they show an aversion toward bespoke tooling, instead opting to “live off the land” and achieve their objectives with legitimate system administrator tools and functions. Furthermore, their comprehension of cloud systems cannot be understated, also abusing native functionality to elevate privileges, set up persistence and exfiltrate data. Examples of these span from basic techniques such as registering new MFA devices and creating users and hosts in target tenants, through to abusing an Okta’s M&A function to create shadow users for cross-tenant impersonation.
You can read more about the group here:
As demonstrated by actors such as Scattered Spider, Push Notification Fatigue can be very effective at coercing an employee to accept an MFA request. In these attacks, a bad actor will repeatedly send push notification MFA requests to the target until they accept one. Requiring Number Matching MFA instead of push notifications can mitigate the risk of MFA fatigue. In most cases, the employee cannot accidentally authenticate a session, since they do not know the number being presented in the sign-in dialogue. Of course, this may still leave a target susceptible to social engineering vectors (e.g., they are instructed to enter the number over the phone). On the other hand, physical tokens and biometrics are resistant to such vectors, as they require the owner of the authentication method to be present at the session being signed in.
The overall objective of your policy should be to define the normal sign-in scenarios of your users and to either challenge or deny those which present risk:
The policy templates provided by Microsoft offer a solid baseline configuration. At the time of writing there are 16 templates which are categorised by use case: