Community Disservice Part One: Analysing Modern Human-Centric Intrusions

The cybercrime subculture referred to as "The Com" emerged around 2018 as a loose collective of predominantly English-speaking actors from Canada, the United States, and the United Kingdom. What began as a scene focused on SIM swapping and cryptocurrency theft has evolved into a broader ecosystem encompassing various forms of extortion campaigns, corporate ransomware operations, and sophisticated social engineering attacks. This transformation coincided with cryptocurrency's dramatic price surge, which fundamentally shifted underground culture toward high-stakes, profit-driven enterprises. 

Unlike traditional technically-focused adversaries, Com-affiliated actors demonstrate a willingness to blend aggressive social engineering – including threats of physical violence – with extensive abuse of legitimate enterprise tools and intimate knowledge of corporate help desk procedures and cloud infrastructure. Some groups within this wider ecosystem have expanded into ransomware operations, while others have specialized in different forms of targeted harassment and extortion. 

In the first of two blog posts, we'll explore common tactics, techniques, and procedures (TTPs) used by actors within and adjacent to this subculture. While cluster names like Scattered Spider, UNC3944, and Octo Tempest are widely discussed, we won't focus on those distinctions. Instead, we aim to raise awareness of the need for constructing layers of security across your business to combat this “sophisticated” tradecraft. 

Credit: UnknownBinary 

Scattered Spider also isn't the only group excelling in hybrid IT environments, and this name technically only represents CrowdStrike’s activity cluster – though it’s used by numerous others. Using the term “Scattered Spider Adjacent” would be more accurate in many reported cases. Regardless, once actors of this variety gain access to an environment, they can expand compromise almost unchecked, making proactive prevention crucial. 

If learning more about the history and inner workings of The Com is of interest to you, we’d highly recommend watching this presentation by Allison Nixon and Ben Coon of Unit 221B, whose expertise on the subject is globally unmatched: 

Anatomy of an Intrusion 

The potential progression of an intrusion is illustrated very effectively in this infographic from Palo Alto's Unit 42: 

Source: Unit 42

Target Research 

Operations begin with extensive reconnaissance: 

• Data from previous breaches builds target profiles. Employee information is acquired from underground marketplaces and forums dealing in stealer logs from infostealer malware such as Raccoon, Redline, or Vidar. These logs contain dumped credentials, browser histories, and VPN configurations harvested from infected devices. 

• Using LinkedIn, ZoomInfo, and business intelligence platforms, employee hierarchies are enumerated to identify system administrators, help desk staff, executives, and employees who may hold privileged cloud access. Phone numbers, reporting structures, personal details like home addresses, security vendors, authentication systems, and remote access solutions are all catalogued to support attacks. 

• Social media monitoring gathers additional intelligence to substantiate social engineering attempts. 

Strategic focus historically involved targeting business process outsourcing firms and telecommunications organisations as intermediary attack vectors. BPO providers handle IT services and data processing for multiple clients, while telecommunications firms control infrastructure necessary for SIM swapping. Compromising these intermediaries provides trusted access to multiple client networks through established business relationships. Recent targeting has shifted toward multiple targets within common industry verticals, expanding into aviation, insurance, retail, hospitality, and financial industries. 

Initial Access 

Social engineering is a cornerstone of these intrusions, with advanced manipulation skills demonstrated through elaborate vishing campaigns and impersonation of staff. While SMS-based initial contact was historically common – with messages claiming urgent action is required (security updates, expiring accounts, or suspicious logins) and directing victims to phishing sites – it has become less prevalent as organisations moved away from SMS. Help desk social engineering has instead emerged as the primary initial access vector. 

Source: Unit 42 

When SMS campaigns are carried out, phishing sites are frequently hosted on typosquatted domains incorporating keywords like "sso," "vpn," or "okta" combined with the target organisation's name. Recent campaigns introduced subdomains (sso.c0mpany[.]com) in addition to the hyphenated format (company-sso[.]com) that has become a recognised signature. 

Phishing campaigns employ proxy frameworks like Evilginx, which automate adversary-in-the-middle attacks to capture credentials and authentication tokens, mitigating most multi-factor authentication challenge types. The resulting sites are convincing clones that closely or perfectly mimic the target login pages with valid SSL certificates and familiar URLs. Pages typically maintain short operational lifespans of several days or hours. Infrastructure can leverage content delivery networks like Cloudflare, blocking automated scanners and adding legitimacy through familiar user experience. 

As mentioned, direct help desk contact has become a predominant initial access vector, aiming to convince staff to reset account passwords or modify multi-factor authentication settings. Having assembled employee dossiers, callers come prepared with personal and employment information sufficient to navigate verification questions. Elaborate scenarios involving urgent business needs or personal circumstances are created and used to coerce the recipient. Callers demonstrate intimate knowledge of internal processes, technical jargon, and recent IT tickets or system changes. 

Manipulation extends beyond impersonation, expressing frustration, and creating urgency and rapport building, while also demonstrating persistence in wearing down natural defences through lengthy conversations. When standard social engineering approaches fail, intimidation tactics can emerge. Employees have received threatening messages containing home addresses, family names, and explicit threats of violence. 

Abuse of Legitimate Tools 

Once inside a network: 

• Legitimate remote access and system administration tools are typically preferred over traditional malware, avoiding antivirus detection while ensuring persistence through redundancy. Multiple remote access solutions may be deployed, such as ScreenConnect, TeamViewer, AnyDesk, Splashtop, RustDesk, FleetDeck, Zoho Assist, TacticalRMM, Pulseway, TightVNC, ITarian, ASG Remote Desktop, ManageEngine RMM, and Level.io. These tools are obtained through official channels, with each configured for unique connection methods. 

• System administration tools are deployed including VMware PowerCLI for virtualisation control, RVTools for vSphere documentation, and various PowerShell capabilities for system management. Network tunneling tools like ngrok, Chisel, and Tailscale, Pinggy, Teleport, and Rsocx create encrypted channels for data exfiltration and command execution, configured to communicate with legitimate-looking cloud infrastructure. 

In cloud environments, they demonstrate advanced tradecraft beyond initial access. AWS Systems Manager Inventory may be activated for discovery and lateral movement, unauthorised EC2 instances created, and Azure VM Access Extensions used for password resets and virtual machine modifications. Third-party services like FiveTran extract high-value service databases including Salesforce and Zendesk using legitimate API connectors. 

Identity Provider Exploitation 

Advanced understanding of modern identity providers is shown, particularly Entra ID and AD FS. After gaining administrative access, golden SAML attacks are implemented by adding rogue identity providers to federation trusts. Using tools like AADInternals, new domains are configured or existing federation settings modified to generate valid authentication tokens for any user, including claims for satisfied MFA requirements. Conditional access policies are modified to exclude their access from MFA requirements or add their IP ranges to trusted locations. 

Capability extends beyond Microsoft systems. In Okta environments, the Org2Org functionality - commonly used for mergers and acquisitions - has been abused to establish trust relationships with attacker-controlled tenants. This enables them to impersonate any desired user account within the target organisation, effectively bypassing normal authentication controls. 

Privilege Escalation and Discovery 

While privileged access can be obtained through social engineering, access is also expanded through traditional technical means: 

• Deploying traditional credential-access tools like Mimikatz and LaZagne alongside living-off-the-land approaches including ProcDump memory dumping and DCSync attacks. 

• Taking domain controller VM snapshots and exfiltrating virtual disks for offline data extraction. 

• Attaching domain controller virtual disks to their unmanaged VMs to dump the AD database (ntds.dit). 

• Using Azure VM extensions to reset local administrator passwords and obtain the disks of cloud-joined systems. 

Rather than pursuing immediate technical objectives, significant time is invested in understanding target operations, identifying valuable data, and mapping business processes. Automated discovery tools including ADRecon, BloodHound, and PingCastle map Active Directory relationships and identify privilege escalation paths. Network scanning with Advanced IP Scanner and Angry IP Scanner identifies services of interest. However, it has also been observed that the pace at which they move towards objectives is accelerating. 

Reconnaissance also extends beyond standard network and domain enumeration: 

• File shares are searched for network diagrams, password stores, and operational procedures. 

• Email systems and collaboration platforms are assessed to understand business operations, ongoing projects, and communication patterns. 

• IT documentation is read for backup procedures, disaster recovery plans, and security tool configurations. 

• Git repositories are scanned for credentials and API secrets using automated tooling such as Trufflehog. 

Defence Evasion 

Awareness of operational security is maintained throughout an intrusion, actively evading detection with tactics beginning immediately after initial access. A frequently observed technique involves directly compromising security tools. Using privileged credentials, EDR consoles, SIEM platforms, and antivirus management systems are accessed, with detection rules modified, alerts suppressed, and exclusions created. Alert queues are cleared and these platforms leveraged to deploy malicious tooling while removing security products. 

Email security is another focus area. Mail flow rules are created to intercept security alerts, password reset notifications, and incident response communications, forwarding messages to attacker-controlled addresses while deleting them from target inboxes. 

Commercial VPN services are used to obscure their geographic location and blend in with common traffic, rotating between providers including Mullvad, ExpressVPN, NordVPN, Ultrasurf, Easy VPN, and ZenMate. They also employ rotating residential proxy services that route traffic through legitimate home connections, making their authentication attempts appear as normal user behaviour rather than suspicious. 

Somewhat audaciously, they have joined incident response calls to monitor defensive actions and adapt their intrusion techniques based on the insights they gather directly from responders. 

Data Collection and Impact 

Data theft operations reveal clear financial motivations and business understanding. Information monetisable through extortion is systematically identified and exfiltrated. Targets include customer databases, financial records, strategic plans, source code repositories, and email archives. Multiple exfiltration methods are employed: 

• File-hosting services, including GoFile[.]io, Mega[.]nz, Transfer[.]sh, Storj, Temp[.]sh, Paste[.]ee, put[.]io, wasabi[.]com, and Backblaze. MEGA is preferred for its zero-knowledge encryption, Bitcoin payment acceptance, and cross-platform support, with MEGAsync and Rclone being the client applications typically used to upload data to the service. 

• Automated data movement platforms like Azure Data Factory with pipelines are configured to extract data to external actor-hosted SFTP servers. 

Database access is facilitated through native tools like Azure SQL Query Editor, DBeaver, MongoDB Compass, S3 Browser, and specialised platforms like Cerebrata and FiveTran for enterprise data connectors. Legitimate backup solutions such as Veeam, AFI Backup, and CommVault are registered to expedite exfiltration of SharePoint document libraries and other repositories. 

The shift to ransomware operations marked a significant capability and objective escalation. Initially affiliated with ALPHV/BlackCat starting in mid-2023, the group has since worked with multiple ransomware-as-a-service operations including RansomHub and DragonForce. Deployment also targets virtualisation infrastructure, with capability for VMware ESXi. Virtual machine encryption affects numerous systems simultaneously while complicating recovery efforts, maximising organisational disruption. 

Defence Needs to Move Fast 

Defending against modern threats requires deep understanding of the threat landscape and the ability to respond as quickly as our adversaries. Our Managed Detection and Response service is built on an intelligence-driven foundation that provides continuous monitoring and security engineering to detect emerging intrusion methods and build lasting mitigations against them. 
 
If you'd like to better understand how to we can help you to defend your business, please reach out to us to book a call. 

Resources 

The following posts have been instrumental in helping us to form this blog series, and we’d encourage you to show them your support: 

• Microsoft: Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction, Protecting customers from Octo Tempest attacks across multiple industries 

• Unit 42: Threat Group Assessment: Muddled Libra 

• CrowdStrike: Scattered Spider Escalate Attacks Across Industries 

• Intel471: Targeted Phishing Linked to 'The Com' Surges 

• Reliaquest: Scattered Spider Targets Tech Companies for Help-Desk Exploitation 
• Praetorian: Helpdesk Telephone Attack: How to Close Process and Technology Gaps 
• Google: Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety