Insights of a Dangerously Proficient Social Engineering Group, Scattered Spider
Category: Threat Actor Activity | Industry: Global | Source: CISA
In a joint cybersecurity advisory, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) addressed the recent activities of Scattered Spider threat actors also tracked as Starfraud, UNC3944, Scatter Swine, and Muddled Libra. This proficient threat group exhibits overlaps with Microsoft's tracked threat group, Octo Tempest. Scattered Spider's prowess lies in advanced social engineering techniques, as detailed by CISA: "Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA)."
Recent engagement tactics of the group involve masquerading as IT support or helpdesk staff to deceive targeted organizations' employees. Through phone calls or SMS messages, threat actors attempt to acquire credentials, MFA codes, or convince victims to install remote access software. Alternatively, MFA fatigue attacks are employed to overwhelm targets with excessive notification prompts. Following successful phishing attempts, Scattered Spider registers MFA devices or creates new accounts for persistence, gaining control over identity providers and achieving privileged escalation.
Scattered Spider's technological adeptness extends to AWS cloud, leveraging information from AWS Systems Manager for host identification, formulating paths for lateral movement, and deploying new Amazon EC2 instances. Various legitimate remote monitoring and management tools are utilized including Fleetdeck.io, Level.io, Pulseway, ScreenConnect, Splashtop, Tactical.RMM, and Teamviewer. Additional intrusion tools highlighted include Mimikatz for credential access and Ngrok for establishing network tunnels. While data exfiltration is the group's primary goal, Scattered Spider occasionally employs ALPHV/Blackcat ransomware- also signifying affiliation with a notorious ransomware group.
Interestingly, the threat actors actively monitor their organization's various lines of communications, honing in on signs of their intrusion being identified. "The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses," CISA explains.
The technical details outlined in CISA's advisory are offered to guide defensive strategies for organizations to follow in order to safeguard their network. Notably, robust implementation of MFA is strongly recommended to defend against social engineering attacks. Recent session hijacking opportunities exploited through the compromise of Okta's Case Support Management System were successfully thwarted by BeyondTrust and Cloudflare due to their robust MFA controls. With Cloudflare opting for hardware tokens and BeyondTrust mandating Okta Verify to access their admin console.