Team CryptoInsightfull 
Hackers are using cloud service attacks as a way to go after big-money targets in the insurance and financial industries.
Security pros with Eclectic IQ said that an APT known to defenders as “Scattered Spider” has been seeking to break into corporate cloud instances as a way to steal data and ransom its access back for a big payday.
The most common targets in the attacks are companies that work in the extremely lucrative financial and insurance sectors, suggesting the hacking crew is looking for a few big payouts before shutting down the operation.
The move is believed to be something of a departure from Scattered Spider’s usual tactics.
“Scattered Spider frequently uses phone-based social-engineering techniques like voice phishing (vishing) and text message phishing (smishing) to deceive and manipulate targets, mainly targeting IT service desks and identity administrators,” explained researcher Arda Büyükkaya.
“The actor often impersonates employees to gain trust and access, manipulate MFA settings, and direct victims to fake login portals.”
The researchers found the attackers using a number of methods for obtaining access to the cloud services. Among the most notable methods was searching services like GitHub to find cloud access tokens which had been accidentally left in source code by developers, which has become a growing problem for many companies.
Other, more mundane methods include purchasing lost credentials from other criminals or phishing campaigns that look to eventually snare an administrator or executive’s cloud service login. The crew was also spotted running smishing campaigns, which can carry the extra benefit of lifting one-time passwords from MFA systems.
It was noted that in addition to targeting the big-name cloud services such as AWS EC-2 and Microsoft EntraID, the hackers also target the likes of Okta, ServiceNow, and VMWare Workspace One.
From there, the attackers can either resell the credentials on crimeware forums or use the stolen accounts to access whatever corporate data they can, which is then exfiltrated and held ransom.
Because this data is held in the cloud, the best way for admins to prevent attacks is to enable MFA and make sure all employees are educated on best practices for spotting and reporting phishing attempts. Developers should also make sure their code does not include private access tokens.
