Scattered Spider Pivots to SaaS Application Attacks

Microsoft last year described the threat actor — known as UNC3944, Scattered Spider, Scatter Swine, Octo Tempest, and 0ktapus — as one of the most dangerous current adversaries.

The recent attacks on customer accounts hosted on the Snowflake data warehousing platform could signal a broader shift among threat actors to targeting software-as-a-service (SaaS) application environments.
A recent
Mandiant report
highlighted another large threat actor that has begun going after enterprise data in SaaS applications in a broadening of its usual focus on
Microsoft cloud environments
and on-premises infrastructure. The threat actor, which Mandiant is tracking as UNC3944, is an English-language speaking group that other vendors have been tracking variously as
Scattered Spider
, Scatter Swine, Octo Tempest, and 0ktapus.
The groups more recent capers have included a ransomware attack that knocked numerous critical systems offline for days at
MGM Resorts
last year and another that targeted
Caesars Entertainment
, which reportedly paid millions of dollars to the group to get back access to its data. The likely US- or UK-based threat actor is known for its
SIM-swapping tactics
and
highly sophisticated credential-phishing skills
, which include calling into enterprise help desks and resetting Okta credentials to take over accounts. Microsoft last year categorized UNC3944 as one of the
most dangerous
financially motivated cyber-threat groups active currently.
According to Mandiant, UNC3944 has broadened its focus to data in enterprise SaaS applications over the past 10 months or so.
In addition to traditional on-premises activity, Mandiant observed pivots into client SaaS applications, according to the security vendors analysis. In many of these attacks the threat actor has used stolen credentials to access SaaS applications protected by single sign-on providers such as Okta. Mandiant observed unauthorized access to such applications as vCenter, CyberArk, Salesforce, Azure, CrowdStrike, AWS, and Google Cloud Platform.
After gaining access to these environments, the threat actor has typically conducted at least some reconnaissance activity using a variety of methods, including Microsofts Delve, to search for data in Microsoft 365 environments. The threat actor has then stolen data from these apps and transferred the data to cloud storage resources such as Amazon S3 buckets, using Airbyte, Fivetran, and other cloud synchronization utilities.
These applications required only credentials and a path to the resources to sync the data to an external source automatically, often without the need for a subscription or expensive costs, Mandiant researchers said.
Phishing and social engineering remains one of the groups primary methods to acquire credentials for accessing enterprise SaaS accounts. In attacks that Mandiant observed, UNC3944 actors made
voice calls in clear English to help desk staff
to get their assistance in gaining access to privileged accounts. In many of these calls, the adversary appeared to possess the detailed personal information — such as the last four digits of the victims Social Security number, dates of birth, and manager information — required to pass the help desk administrators initial user authentication checks.
The level of sophistication in these social engineering attacks is evident in both the extensive research performed on potential victims and the high success rate in said attacks, Mandiant researchers said.
Mandiants report highlighted UNC3944s creation of new virtual machines in victim environments as a particularly effective persistence mechanism. The threat actors modus operandi is to use single sign-on (SSO) apps to access VMware vSphere and Microsoft Azure cloud environments.
The importance here is the observation of abusing administrative groups or normal administrator permissions tied through SSO applications to then create this method of persistence, according to the report.
After creating a new virtual machine, the threat actor has used specific tools to reconfigure the VMs to remove default Microsoft Defender protections and telemetry that would be of use in a forensic investigation. In situations where the compromised environment might not have any endpoint monitoring, the threat actor has downloaded multiple tools to the new VMs, including credential extraction utilities such as Mimikatz and ADRecon, and tunneling tools such as NGROK and RSOCX. Such tools allow UNC3944 to access the virtual machine without requiring any multifactor authentication (MFA) or VPN, according to Mandiant.
Mandiants recommendations for organizations include using host-based certificates and MFA for VPN access, and creating strict conditional access policies to limit what is visible inside a cloud tenant.
According to the report, Mandiant recommends heightened monitoring of SaaS applications, to include centralizing logs from important SaaS-based applications, MFA re-registrations, and virtual machine infrastructure, specifically about both uptime and the creation of new devices.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Scattered Spider Pivots to SaaS Application Attacks