With attack sectors ranging from hospitality to finance and telecommunications, Scattered Spider has launched a wide net of sophisticated attacks. The FBI has issued a warning to travelers and the public at large about the group’s activities, which includes hacking into systems of major airlines, putting data and specifically customer information at risk.
The Scattered Spider group’s main goals in its attacks are to steal data and use it for extortion and to deploy BlackCat/ALPHV ransomware, which monetizes access to its victims’ networks.
Scattered Spider Tactics and Techniques
Security analysts note that the Scattered Spider group is using aggressive advanced social engineering and targeted phishing campaigns.
DragonForce, a ransomware-as-a-service operation, has collaborated with the Scattered Spider group, a partnership that has enabled scattered spider to access data leak platforms and encryption capabilities.
Working with DragonForce lets them focus on getting into networks by manipulating their targets.
Additionally, it is employing a wide variety of sophisticated methods in order to breach targets and maintain persistent access over an extended period of time.
- Targeted Phishing
- SIM Swapping
- Multifactor Authentication (MFA) Fatigue (also called “push bombing”)
- Phone and SMS Impersonation
- Tricking Employees into Installing Remote Access Tools
- Capturing One-Time Passwords (OTP)
- Coercing Users to Approve MFA Prompts
- Vishing
- Exploits IT help desks and remote access services such as RDP.
- Uses Ransomware in addition to data theft for extortion
- Leverages multiple social engineering tactics to get access that elevates privileges
In a recent attack, the group began its attack using advanced social engineering that led to the compromise of the victim’s Entra ID, Active Directory, alongside its virtual infrastructure.
Scattered Spider’s attack chain, according to security analysts, shows the group’s ability to combine careful planning with rapid implementation, as well as their growing knowledge of on-premises and cloud-based IT infrastructure.
Scattered Spider’s Attack Plan
Scattered Spider launched an attack against an unidentified organization’s chief financial officer (CFO) when it used the Oracle Cloud authentication portal of the organization, according to a postmortem that was conducted by security analysts not too long ago.
Following this, they obtained the personal information of the Chief Financial Officer (CFO), which included the last four digits of the CFO’s social security number and the date of birth. This information was retrieved from previous breaches and public resources. This information enabled Scattered Spider to impersonate the CFO when calling the organization’s help desk and trick the staff there into resetting the CFO’s registered device and credentials.
Following the successful acquisition of access to the Chief Financial Officer’s account, Scattered Spider utilized its Entre ID (Microsoft Azure) mapping to locate sensitive files on SharePoint. This provided the hackers with a more comprehensive understanding of the cloud and on-premises infrastructure of their target. Additionally, the hackers gained access to the Horizon Virtual Desktop Infrastructure of the organization by utilizing the credentials of the Chief Financial Officer. After that, the hackers utilized social engineering in order to compromise two additional accounts. Additionally, in order to keep remote access with the compromised machines, they broke into the organization’s virtual private network (VPN) infrastructure.
Taking everything into consideration, while accessing the network of the target Before using tools such as ngrok, which enabled them to maintain access on compromised virtual machines, Scattered Spider extracted the NTDS.dit database, which contained Active Directory credentials. After that, it extracted over 1400 secrets and administered administrative privileges to compromised accounts.
Expanding Attack Industries
Recent headlines illustrate how Scattered Spider has expanded its net and is targeting more industries, with its more recent victims including Aflac, Erie Insurance, and Philadelphia Insurance Company. Here are the methods used to attack some of the recent victims.
Caesars Hotel and Casino
The hackers called into the outsourced help desk, impersonating an IT user to reset credentials. This allowed the group to steal the customer loyalty database and get a $15 million ransom payment.
MGM Resorts
In this attack, the hackers used LinkedIn information, impersonated an employee, and reset the employee’s credentials, which then allowed the group to steal 6 TB of data. MGM refused to pay the ransom, which resulted in a 36-hour outage and a $100 million hit, and finally settled a class-action case for $45 million.
Transport for London
This Scattered Spider attack resulted in the exposure of 5,000 customers’s bank details and 30,000 employees personally verifying each customer’s identity via in-person appointments.
The primary tactic behind these attacks was the abuse of help desk processes to reset credentials, including passwords and MFA factors required to access accounts.
These hackers gather enough information to call up the help desk impersonating an employee and then request to enroll a new device for MFA, which lets them change the account password using the self-service option and take over the account.
Preventing and Remediating Scattered Spider
Security researchers say that successfully defending against Scattered Spider requires a combination of tactics. For example, strong identity verification, strict control over remote access, phishing-resistant MFA, comprehensive, strict monitoring, and strong incident response and recovery planning.
Top 7 Preventative Tactics
Experts suggest these methods to reduce attack surfaces and help strengthen security and prevent attacks.
- Implement strong identity verification methods that will prevent social engineering attacks that target help desks.
- Hardware tokens or number-matching MFA solutions are stronger and provide more robust security than basic push notifications and one-time passcodes.
- Controlling and restricting RDP and similar services will help reduce attack surfaces.
- Using an allowlist to control software execution and especially remote access programs also helps improve security.
- Well-configured EDR solutions with active alert monitors increase endpoint coverage security.
- Use web proxies to block malicious or suspicious domains.
- Monitor and detect data stores for unusual activity that indicates breaches in progress.
Top Remediation Techniques
An organization’s threat team should begin incident response and remediation if Scattered Spider attacks their infrastructure. Security analysts have found these techniques help remediate attacks by Scattered Spider.
- Disconnect and isolate compromised systems.
- Reset the credentials of privileged accounts.
- Remove remote access tools such as TeamViewer and AnyDesk; malicious scheduled tasks and startup entries; and rebuild compromised domain controllers if needed.
- Patch exploited vulnerabilities in domain controllers, hypervisors, and VPNs and restrict vulnerable drivers.
- Run updated antivirus scans, in-depth threat hunts, and closely monitor authentication logs to detect signs of re-entry.
- Restore systems using clean backups, deploy endpoint detection and response (EDR) tools, enforce phishing-resistant MFA such as FIDO2 keys, enforce least privilege, and regularly test offline backups.
While Scattered Spider’s attacks are the latest in what appears to be a trend in identity-based breaches, when we review its evolution, we can see its tactics aren’t new. Identity-based TTPs are the new normal in cyberattacks. It’s vital not to consider these techniques as specific to Scattered Spider; this group is not alone in using identity as an attack pattern. Identity-based attack patterns are shared across several groups, including Lapsus$, Yanluowang, Karakurt, and ShinyHunters. In addition, Russian state-sponsored threat actors have also increasingly using these techniques