attack-path / financial services / cred-theft-lateral-movement

Cred theft AA24-057A

Engine-driven compliance rail for Credential theft → MFA fatigue → lateral movement (remote-user SaaS path) on the Financial Services protect-surface layout. Step controls cycle through the engine's Trust-Failure chain; each step shows the in-scope provisions the failure implicates and, where a regulatory clock applies, the obligation diamond.

resolved atFinancial Services · Hybrid SaaS + VPC · Remote user opens a SaaS application
step 01TF2observedATT&CK T1110
stage 2

Adversary obtains password via brute force or password spraying against a remote-user SaaS login surface. AA24-057A: "SVR use password spraying and brute forcing as an initial infection vector."

mitigating controls
idpmfa-authenticatorca-pkikms-secretspam
in-scope provisions (6)
  • partial3.A - Change Default Passwordscisa-cpgs-v2disc:highpendingEvidence
  • partial3.B - Establish Minimum Password Strengthcisa-cpgs-v2disc:highpendingEvidence
  • partial3.F - Implement Multifactor Authentication (Mfa)cisa-cpgs-v2disc:highpendingEvidence
  • partial3.G - Administrators Maintain Separate User And Privileged Accountscisa-cpgs-v2disc:highpendingEvidence
  • partial§314.4(c)(1) Access controls — least-privilege baseline + as-appropriate physicalglba-safeguardsdisc:highpendingEvidence
  • partial§314.4(c)(5) Multi-Factor Authentication — universal default + QI compensating-control surfaceglba-safeguardsdisc:highpendingEvidence
obligation
no regulatory clock for this step
protect-surface storyline (DAAS cards)
  1. 01
    Initial Access
    identity-svc
    Phishing-resistant MFA is not enforced for every principal. A high-privilege identity yields its password to a phishing portal; the PE accepts the reused secret.
  2. 02
    Discovery
    crm
    The compromised identity logs into Salesforce and pivots through field-level data, mapping the customer base and the privileged-user list for the next hop.
  3. 03
    Lateral Movement
    google-workspace
    The same federated identity is replayed against Google Workspace. AA24-057A documents Midnight Blizzard’s SaaS-to-SaaS pivots via OAuth tokens granted under the assumed principal.
  4. 04
    Exfiltration
    customer-pii
    Customer PII is exported through legitimate SaaS APIs under the stolen identity — no anomaly fires because the access pattern is a valid-account one (T1078).