adpare
99 lines
6.8 KiB
JSON
99 lines
6.8 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--23da1723-d53d-4137-8523-fb6967a19a60",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "intrusion-set",
|
|
"spec_version": "2.1",
|
|
"id": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b",
|
|
"created": "2023-07-05T17:54:54.789Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/groups/G1015",
|
|
"external_id": "G1015"
|
|
},
|
|
{
|
|
"source_name": "Roasted 0ktapus",
|
|
"description": "(Citation: CrowdStrike Scattered Spider BYOVD January 2023)"
|
|
},
|
|
{
|
|
"source_name": "UNC3944",
|
|
"description": "(Citation: Mandiant UNC3944 May 2025)(Citation: Mandiant VMware vSphere JUL 2025)"
|
|
},
|
|
{
|
|
"source_name": "Octo Tempest",
|
|
"description": "(Citation: Microsoft Threat Actor Naming July 2023)"
|
|
},
|
|
{
|
|
"source_name": "Storm-0875",
|
|
"description": "(Citation: Microsoft Threat Actor Naming July 2023)"
|
|
},
|
|
{
|
|
"source_name": "CISA Scattered Spider Advisory November 2023",
|
|
"description": "CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.",
|
|
"url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a"
|
|
},
|
|
{
|
|
"source_name": "CrowdStrike Scattered Spider BYOVD January 2023",
|
|
"description": "CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.",
|
|
"url": "https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/"
|
|
},
|
|
{
|
|
"source_name": "CrowdStrike Scattered Spider Profile",
|
|
"description": "CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.",
|
|
"url": "https://www.crowdstrike.com/adversaries/scattered-spider/"
|
|
},
|
|
{
|
|
"source_name": "Mandiant VMware vSphere JUL 2025",
|
|
"description": "Mandiant Incident Response. (2025, July 23). From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944. Retrieved October 13, 2025.",
|
|
"url": "https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944"
|
|
},
|
|
{
|
|
"source_name": "Mandiant UNC3944 May 2025",
|
|
"description": "Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.",
|
|
"url": "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations"
|
|
},
|
|
{
|
|
"source_name": "Microsoft Threat Actor Naming July 2023",
|
|
"description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
|
|
"url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
|
},
|
|
{
|
|
"source_name": "MSTIC Octo Tempest Operations October 2023",
|
|
"description": "Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.",
|
|
"url": "https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/"
|
|
},
|
|
{
|
|
"source_name": "Crowdstrike TELCO BPO Campaign December 2022",
|
|
"description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.",
|
|
"url": "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2025-10-24T02:30:51.936Z",
|
|
"name": "Scattered Spider",
|
|
"description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. (Citation: MSTIC Octo Tempest Operations October 2023)\n[Scattered Spider](https://attack.mitre.org/groups/G1015) relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. (Citation: CISA Scattered Spider Advisory November 2023) (Citation: CrowdStrike Scattered Spider BYOVD January 2023) (Citation: Crowdstrike TELCO BPO Campaign December 2022)\n[Scattered Spider](https://attack.mitre.org/groups/G1015) had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. (Citation: Mandiant UNC3944 May 2025)",
|
|
"aliases": [
|
|
"Scattered Spider",
|
|
"Roasted 0ktapus",
|
|
"Octo Tempest",
|
|
"Storm-0875",
|
|
"UNC3944"
|
|
],
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_version": "3.0",
|
|
"x_mitre_attack_spec_version": "3.3.0",
|
|
"x_mitre_domains": [
|
|
"enterprise-attack",
|
|
"mobile-attack"
|
|
]
|
|
}
|
|
]
|
|
} |