Understanding the Scattered Spider Cybercriminal Group

In the intricate web of the digital world, various entities lurk in the shadows, constantly weaving complex schemes that threaten our cybersecurity.

One such entity that has recently come into the spotlight is the Scattered Spider Cybercriminal Group.

This group’s activities and techniques have piqued the interest of cybersecurity experts worldwide.

In this blog post, we will delve deep into the underbelly of cybercrime, shedding light on who the Scattered Spider Group is.

We’ll explore how they operate, and most importantly, how you can protect yourself against such sophisticated cyber threats.

Buckle up for an enlightening journey into the dark side of the web.

Background of Scattered Spider

The Scattered Spider is a formidable cybercriminal group known for its attacks on large-scale companies and their IT help desks.

Their primary modus operandi involves data theft, often used as leverage for extortion purposes.

The group has gained notoriety for their use of BlackCat/ALPHV ransomware1.

Scattered Spider’s expertise lies in the art of social engineering, with their favored techniques being phishing, push bombing, and SIM swap attacks.

They cleverly employ these strategies to secure credentials, install remote access tools, and bypass multi-factor authentication (MFA). These techniques enable them to infiltrate and navigate through their victims’ networks.

The group’s threat actors are adept at impersonating company IT or helpdesk staff, a guise they use to gain network access. This impersonation often involves convincing employees to run commercial remote access tools, share their one-time password (OTP), or press the “Accept” button on repeated MFA notification prompts.

They have even been known to persuade cellular carriers to transfer control of a targeted user’s phone number, which grants them access to MFA prompts.

Upon entering a network, Scattered Spider threat actors utilize legitimate remote access tunneling tools and malware to explore and exploit the victim’s digital infrastructure.

They maintain a persistent presence by using living off the land techniques and allowed applications.

Their targets within the network often include SharePoint sites, credential storage documentation, VMware vCenter infrastructure, backups, and instructions for setting up/logging into Virtual Private Networks (VPNs)1.

Latest TTPs Employed by Scattered Spider

Encryption of Victim Files

The FBI has discovered a concerning trend in the activities of Scattered Spider threat actors. These individuals are now not only stealing sensitive data, but also encrypting the files of their victims [T1484.002].This means that even if the stolen data is recovered, it will be inaccessible unless the encryption is broken.

Once the data is exfiltrated and encrypted, the Scattered Spider threat actors reach out to their victims through various means, including TOR networks, Tox messaging, or email.

This development poses a serious threat to individuals and organizations alike, highlighting the need for heightened security measures to protect against this form of attack. Stay vigilant and ensure your files are protected.

Execution, Persistence, and Privilege Escalation Tactics To Watch Out For

In their relentless pursuit, the Scattered Spider threat actors employ a stealthy approach to establish persistence and elevate their privileges.

By tampering with a user’s account, they surreptitiously register their own MFA tokens, ensuring their continued access [T1556.006, T1606]. Exploiting this foothold, they seamlessly integrate a federated identity provider into the victim’s SSO tenant, enabling automatic account linking [T1484.002].

Leveraging their control over the identity provider, the threat actors manipulate a crucial attribute, allowing them to effortlessly sign into any account within the victim’s system. Remarkably, even when passwords are changed, they remain undeterred, thanks to their privileged escalation tactics [TA0004, T1078].

To further cement their control, the Scattered Spider threat actors skillfully exploit common endpoint detection and response (EDR) tools available on the victim networks. Exploiting the remote-shell capabilities of these tools, they gain elevated access and execute commands with ease.

But their cunning strategies don’t end there – they strategically utilize remote monitoring and management (RMM) tools [T1219] to maintain persistence, ensuring they remain a constant threat.

Cybercriminals Carrying Out Reconnaissance, Resource Cultivation, and Initial Access

Scattered Spider intrusions are a growing concern, often initiated through phishing and smishing attacks. These attacks specifically target victims with carefully crafted domains, as listed below.

Some of these domains include:

- victimname-sso[.]com

- victimname-servicedesk[.]com

- victimname-okta[.]com

Once victims fall for the phishing/smishing attempt, Scattered Spider threat actors resort to SIM swapping attacks. They then proceed to gather personally identifiable information (PII) from the most valuable users who have been targeted. By obtaining answers to security questions, usernames, passwords, and PII, the threat actors conduct SIM swaps.

To further their access, these threat actors employ social engineering techniques. They convince IT help desk personnel to reset passwords and/or MFA tokens, enabling them to take over user accounts – particularly in single sign-on (SSO) environments.

The tactics employed by Scattered Spider cyber threats pose a serious risk and necessitate heightened awareness and proactive security measures.

Uncovering the Threat: Unveiling, Lateral Movement, and Data Theft

Once a target network is compromised, Scattered Spider threat actors go on the hunt. They search for valuable information like SharePoint sites, credential storage documentation, VMware vCenter infrastructure, backups, and VPN setup guides.

These actors dig into the victim’s Active Directory, find and steal code repositories, code-signing certificates, and source code.

To expand their reach, they leverage Amazon Web Services Systems Manager Inventory to identify new targets for lateral movement. They then gain access to both existing and actor-created Amazon Elastic Compute Cloud instances.

In some cases, the goal is data exfiltration. To achieve this, Scattered Spider deploys their own extract, transform, and load tools to gather data from various sources into a central database.

Additionally, recent incidents suggest that the threat actors may deploy BlackCat/ALPHV ransomware, encrypting VMware ESXi servers.

To evade detection and maintain control, Scattered Spider actively monitors communication platforms like Slack, Microsoft Teams, and Microsoft Exchange. They search for any mention of their intrusion or attempts to thwart them.

These actors also join incident response calls to gain insight into security teams’ strategies and develop new methods of intrusion.

They create new identities, supported by fake social media profiles, to stay one step ahead.

Identity of Scattered Spider

Scattered Spider has managed to evade law enforcement. In fact, according to a report by Reuters, the FBI has been aware of the identities of at least twelve members associated with this hacking group for over six months.

These individuals were implicated in the significant September cyberattacks on casino operators MGM Resorts International and Caesars Entertainment.

Industry executives expressed confusion over the lack of arrests, especially given that many of the hackers are reportedly based in the United States.

This situation highlights the challenges faced by law enforcement in dealing with cybercriminal groups like Scattered Spider, who continue to pose significant threats to organizations worldwide.

Protecting Against Scattered Spider

Implementing a full lifecycle protection layer is one recommended strategy against Scattered Spider. This approach includes continuously monitoring identity-related activities, which can help detect and prevent unauthorized access.

Organizations should also guard against phishing attempts, which Scattered Spider often uses to gain initial access. Educating employees about the dangers of phishing and how to recognize such attempts can significantly reduce the risk of a successful attack.

Moreover, Scattered Spider has been known to exploit vulnerabilities to deploy malicious drivers. Therefore, it’s essential to stay updated on the latest vulnerabilities and apply patches promptly to minimize potential attack vectors.

Understanding the tactics and techniques of groups like Scattered Spider is crucial for effective cybersecurity. By studying these threat actors and being aware of the IoCs associated with their activities, organizations can better protect themselves against potential cyberattacks.

The cybersecurity landscape is continually evolving, and threat actors like Scattered Spider are part of this changing environment. It’s crucial for organizations to stay informed about these threats and take proactive measures to secure their systems and data.