Scattered Spider: Leveraging Social Engineering for Extortion - CISA Alert AA23-320A

On November 16, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on a cybercriminal group called Scattered Spider [1]. Scattered Spider is known to target large organizations in telecom with data extortion and ransomware attacks. The cybercriminal group is affiliated with the infamous ransomware group BlackCat (ALPHV).

In this blog, we explained tools and TTPs used by Scattered Spider and how organizations can defend themselves against Scattered Spider attacks.

Simulate Data Extortion Attacks with a 14-Day Free Trial of the Picus Platform

Scattered Spider APT Group

Scattered Spider is a financially motivated data extortion and ransomware group that targets large organizations. The group has been known to be active since late 2022 and has several aliases, such as Muddled Libra, oktapus, Starfraud, Scatter Swine, and UNC3944. As a financially motivated threat group, Scattered Spider threat actors target large organizations in the telecommunication, entertainment, and IT industries. The latest MGM Casino and Caesars Entertainment ransomware attacks were attributed to Scattered Spider.

The group is proficient in social engineering skills and utilizes phishing, vishing, MFA bombing, and SIM-swapping techniques to gain initial access to their victims’ networks. After initial access, Scattered Spider uses Living-off-the-Land techniques and allows listed applications to conduct reconnaissance and lateral movement in the compromised network. The threat actors also evade detection using publicly available and legitimate remote access tunneling tools to exfiltrate data from the compromised network. Recently, Scattered Spider added ransomware to their extortion tactics, and they threatened their victims to release stolen data unless the ransom is paid. Scattered Spider is an affiliate of BlackCat (ALPHV) Ransomware-as-a-Service (RaaS) group, and they use their TTPs and ransomware payloads in their attacks.

Tools and Techniques Used by Scattered Spider Threat Group

Scattered Spider is known for their social engineering skills and defense evasion technique. They use these techniques to take over valid user accounts and compromise the target network without raising an alert. Depending on the target environment, adversaries quickly modify their TTPs and change the tools used in their campaigns. Tools and techniques used by Scattered Spider is as follows:

Initial Access

T1566 Phishing

Scattered Spider uses various phishing techniques to trick users into resetting passwords, disabling MFA, and installing remote access tools. Threat actors often use phone calls or SMS to impersonate legitimate users or help desk personnel in phishing attacks.

T1078 Valid Accounts

Adversaries use valid accounts to gain initial access to the target network. These accounts are obtained via phishing attacks or MFA bombing (fatigue) attacks. In MFA bombing attacks, threat actors repeatedly spam MFA prompts to cause the target user to accidentally or unknowingly allow one of the prompts. In some cases, Scattered Spider attackers threatened some users to give up their passwords and MFA tokens. Valid accounts also allow attackers to establish persistent connections to the target network.

Execution

T1648 Serverless Execution

Threat actors install and use Extract, Transform, and Load (ETL) tools to collect data from compromised cloud environments to a centralized database.

T1204 User Execution

Scattered Spider tricks users to install remote access tools or disable MFA via vishing attacks.

Persistence

T1556.006 Modify Authentication Process: Multi-Factor Authentication

After compromising a valid account, Scatter Spider attackers register their own MFA tokens to prevent their victims from taking back their accounts.

Privilege Escalation

T1484.002 Domain Policy Modification: Domain Trust Modification

Scattered Spider abuses the victim’s SSO tenant to elevate their privileges by adding a federated identity provider and activating account linking.

Defense Evasion

T1578.002 Modify Cloud Compute Infrastructure: Create Cloud Instance

Adversaries create new Amazon EC2 instances in the victim’s AWS environment for data collection and staging.

T1656 Impersonation

Scattered Spider threat actors impersonate legitimate users or IT help desk personnel to reset passwords, disable MFA, and install remote access tools.

Credential Access

T1621 Multi-Factor Authentication Request Generation

Scattered Spider uses MFA fatigue attacks to lead their victims to accidentally or unknowingly accept MFA prompts to gain access to their accounts.

T1552 Unsecured Credentials

Adversaries search for insecurely stored credentials and private keys in the compromised system. Attackers also use Mimikatz to extract credentials from the system.

Discovery

T1217 Browser Information Discovery & T1539 Steal Web Session Cookie

Scattered Spider uses Raccoon Stealer and VIDAR Stealer malware to extract login credentials, cookies, and browser history.

T1538 Cloud Service Dashboard

Adversaries use the AWS Systems Manager Inventory to discover cloud assets for lateral movement.

T1083 File and Directory Discovery

Scattered Spider enumerates its victim’s Active Directory, SharePoint sites, code repositories, code-signing certificates, and source code to discover files and directories. 

T1018 Remote System Discovery

Adversaries use the victim’s VMware vCenter infrastructure to discover remote services.

Command and Control

T1219 Remote Access Software

Scattered Spider uses publicly available and legitimate remote access tools such as Fleetdeck.io, Level.io, ngrok, Pulseway, Screenconnect, Splashtop, Tactical.RMM, and Teamviewer. These tools allow attackers to maintain persistence and exfiltrate data to adversaries-controlled C2 servers.

Exfiltration

T1567 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Scattered Spider exfiltrates its victim’s data to public and private cloud storage services.

Impact

T1486 Data Encrypted for Impact

Scattered Spider is an affiliate of the BlackCat/ALPHV ransomware group and uses their ransomware payload to encrypt its victim’s files. In recent MGM Casino and Caesars Entertainment attacks, attackers were able to encrypt VMware ESXi servers.

How Picus Helps Simulate Scattered Spider Attacks?

We also strongly suggest simulating Scattered Spider attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other cybercriminal groups, such as ALPHV, LAPSUS$, and Dragonfly, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for malware used by Scattered Spider Group:

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware used by Scattered Spider and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for malware used by Scattered Spider:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus The Complete Security Validation Platform.

References

[1] “Scattered Spider,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a. [Accessed: Nov. 17, 2023]