A multi-national coalition of cybersecurity and law enforcement agencies has released a joint advisory detailing the evolving and sophisticated tactics of the cybercriminal group known as “Scattered Spider.”
The advisory, designated as AA23-320A, is a collaborative effort by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and international partners including the United Kingdom’s National Cyber Security Centre (NCSC-UK) and the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC). It serves as a critical update on the group’s activities, which have grown in scope and complexity, posing a significant threat to organizations worldwide.
“Scattered Spider,” also identified by various aliases such as “UNC3944” “Octo Tempest,” and “Muddled Libra,” is a financially motivated threat actor that has been active since at least late 2022. The group has gained notoriety for its proficiency in social engineering, targeting large organizations, particularly in the telecommunications and IT sectors.
According to the advisory, the group’s tactics have evolved to include more sophisticated social engineering techniques. They are known to pose as company IT or helpdesk staff in phone calls or SMS messages to obtain employee credentials and gain initial access to networks. This often involves convincing employees to run commercial remote access tools, share one-time password (OTP) authentication codes, or even reset passwords and transfer Multi-Factor Authentication (MFA) to a device controlled by the attackers.
A key tactic highlighted in the advisory is “MFA fatigue” or “push bombing,” where the attackers overwhelm a user with a barrage of MFA push notifications until the target eventually approves one, granting the attackers access. Another method involves convincing cellular carriers to transfer control of a target’s phone number to a SIM card in their possession, a technique known as SIM swapping.
Once inside a network, “Scattered Spider” employs “living off the land” (LOTL) techniques, using legitimate and publicly available remote access tunneling tools to navigate the compromised environment and evade detection. The advisory notes that the group has also been observed using various malware and ransomware variants to exfiltrate data and encrypt systems.
The primary goal of “Scattered Spider” is financial gain, which they achieve through various extortion methods. After exfiltrating sensitive data, they often deploy ransomware and threaten to leak the stolen information unless a ransom is paid. The group has been linked to the BlackCat/ALPHV ransomware-as-a-service (RaaS) operation.
In response to this escalating threat, the advisory outlines a series of mitigation strategies for organizations to implement. These include:
- Enforcing phishing-resistant MFA: This is a critical step to counter the group’s social engineering tactics.
- Implementing Application Controls: Managing and controlling the execution of software, including allowlisting remote access programs, can prevent the installation and execution of unauthorized tools.
- Auditing and Limiting Remote Access Tools: Organizations are urged to audit their networks for remote access tools, review logs for abnormal usage, and block unnecessary remote access ports and protocols.
- Maintaining Offline Backups: Regular and tested offline backups of data are crucial for recovery in the event of a ransomware attack.
- Employee Training and Awareness: Educating employees about social engineering tactics is vital to prevent them from falling victim to the group’s schemes.
The advisory serves as a stark reminder of the persistent and adaptive nature of cyber threats. The authoring organizations encourage all critical infrastructure organizations and commercial facilities to review the advisory and implement the recommended mitigations to reduce their risk of compromise.
Organizations that suspect they have been targeted by “Scattered Spider” are urged to report the incident to their local FBI field office or CISA’s 24/7 Operations Center.
Reference:
