The FBI and CISA have issued a joint advisory requesting that victims of the Scattered Spider ransomware group provide details on its attack methods in a bid to tackle the gang.
The advisory provides details on Scattered Spider’s previous extortion strategies, recommending a number of steps organizations can take to reduce their exposure to attacks from the group.
In a call to action, the agencies also requested organizations provide any relevant information or materials they have regarding the group.
This includes ransom notes, communications with Scattered Spider group actors, Bitcoin wallet information, and decryptor files.
Scattered Spider has emerged as one of the most active and aggressive ransomware groups in recent months. The group has also been referred to as Starfraud, Scatter Swine, Octo Tempest, and Muddled Libra.
Scattered Spider: Tactics, techniques, and procedures (TTPs)
The group has been known to engage in data extortion, as well as several other criminal activities, and is purported to be highly proficient in social engineering techniques, according to the advisory.
Some of the social engineering techniques employed by the group to obtain credentials and access a victim’s network include phishing, push bombing, multi-factor authentication (MFA) fatigue, and subscriber identity module (SIM) swap attacks.
Once it gains initial access, the group can install remote access tools and bypass MFA.
With access to an organization’s network, Scattered Spider uses publicly available, legitimate remote access tunneling tools that enable remote monitoring and management of internal systems, credential extraction, and the remote connection of network devices.
These legitimate tools are used in combination with malware such as AveMaria (also known as WarZone), Racoon Stealer, VIDAR Stealer, according to CISA.
AveMaria enables remote access to a victim’s systems; whereas Racoon Stealer and VIDAR Stealer (as their names suggest) steal information such as login credentials, browser history, cookies, and other sensitive data.
A recent method the FBI has observed Scattered Spider threat actors using is the encryption of exfiltrated files and communicating with targets via TOR, tox, email, or encrypted applications.
Reconnaissance techniques
Reconnaissance techniques employed by Scattered Spider were a key concern highlighted in the joint advisory.
Threat actors have frequently been found to search victim’s Slack, Microsoft Teams, and Microsoft Exchange platforms to determine if their activities have been uncovered.
“The threat actors frequently join incident remediation and response calls and teleconferences, like to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses,” CISA warned.
“This is sometimes achieved by creating new identities in the environment and is often upheld with fake social media profiles to backstop newly created identities.”
Scattered Spider attacks
In December 2022, CrowdStrike released an investigation of “an extremely persistent intrusion campaign” from the Scattered Spider group, where the group used ‘bring your own driver’ (BYOD) style attacks.
These attacks involve planting a legitimate, but vulnerable, driver in the target system, which the threat actors subsequently exploit to execute malicious code on the victim’s network.
The objective of this campaign was reported to be gaining access to mobile carrier networks in order to engage in SIM swapping activities.
A notable attack by the group involved shutting down the systems of hotel conglomerate MGM Resorts in September 2023. The attack, which gained access to the company’s Okta Agent servers, caused a system outage that took ten days to be rectified.
This whitepaper shares insights that will help you get ahead of the latest cyberthreats
DOWNLOAD NOW
Described as a “highly motivated financial cybercriminal group” in Microsoft’s October 2023 Threat Intelligence Report, which refers to the group as Octo Tempest, the group is reported to have become an affiliate of the ALPHV/BlackCat ransomware as a service (RaaS) operation.
Microsoft’s report highlights the fact organizations’ threat models do not tend to cover attack vectors such as SMS phishing, SIM swapping, and advanced social engineering techniques that Scattered Spider are known to employ.
As such, both Microsoft’s threat report and the FBI and CISA’s advisory provide a number of procedures organizations should follow in order to mitigate the risk of falling prey to one of the group’s varied social engineering techniques.
These mitigations apply to all critical infrastructure organizations and network defenders, and include implementing application controls, auditing remote access tools, limiting use of remote desktop services, and using tools to log and report all suspicious network traffic activity.
