This week, CISA updated its advisory on Scattered Spider. Scattered Spider is a threat actor using social engineering tricks to access target networks. The techniques used by Scattered Spider replicate those used by other successful actors, such as Lapsus$. Social engineering does not require a lot of technical tools; creativity is key, and defenses have a hard time keeping up with the techniques used by these threat actors.

For this diary, I want to "zoom in" on one update noted in this week's CISA report. CISA noted that Scattered Spider is using the following domain name patterns:

targetsname-cms[.]com
targetsname-helpdesk[.]com
oktalogin-targetcompany[.]com

Using our "recent domain" API, we can run a quick check on some of these. Let's start by getting the latest (yesterday's) domains:

curl -o recent.json 'https://isc.sans.edu/api/recentdomains/?json'

How many entries do we have so far?

% jq length recent.json
117782

This is low, but not all domain names have been processed yet. Now we will look for the patterns from the CISA report. I first checked "oktalogin", which I figured was the most specific text, but I found nothing. Next, I checked "helpdesk" (I omitted the .com as I figured they may use different TLDs depending on the target):

% jq '.[] | select(.domainname | contains ("helpdesk")) | .domainname' recent.json
"360aihelpdesk.com"
"ai360helpdesk.com"
"helpdesk-academy.net"
"helpdesk-direct.online"
"helpdesk-guardprotect.com"
"helpdesk-software-29.online"
"helpdesk-truist.com"
"helpdeskmaintenanceinc.online"
"helpdeskmicrosoft.com"

We got a few nice domain names here. I highlighted them in red and bold above. Truist appears to be an obvious target. Looking for other domains that contain the word "Truist":

% jq '.[] | select(.domainname | contains ("truist")) | .domainname' recent.json
"altruistonline.shop"
"cdn-truist.com" 
"helpdesk-truist.com"

The first one (altruistonline.shop) is likely unrelated. But cdn-truist.com could be interesting. They do not resolve to an IP address. However, the "cdn-" pattern was not in the report, so it may be a new pattern used by Scattered Spiders or similar gangs.

A couple of lessons learned: 

• You should monitor for your brand name being used to register new URLs. You can use commercial services, our API as shown above, or what I consider the "secret weapon": TLS transparency logs. Facebook has a nice free one that includes common variations and IDN lookalikes.
• Do not take reports, like CISA's, too literally. They are well-researched, but that comes at the cost of being outdated. Threat actors will also change their MOU after a high-profile report is released. Look for the basic patterns, not the exact strings.

Note the fact that "Truist" is in the list may indicate that they are a target, but does not show that they fell victim to an attack. I do not see any evidence that the domain names have been used so far.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|