Scattered Spider traps 100+ victims in its web as it moves into ransomware

Trending 1 week ago

Scattered Spider, nan unit down astatine slightest 1 of nan caller Las Vegas casino IT information breaches, has already deed immoderate 100 organizations during its so-far little tenure successful nan cybercrime scene, according to Mandiant.

Further, arsenic besides witnessed successful nan ongoing MGM Resorts web outage, nan gang, known for its social-engineering-based attacks, is now throwing data-stealing ransomware astatine victims, too.

In its analysis this week into Scattered Spider's evolving tactics, Mandiant says nan "expansion successful nan group's monetization strategies" began successful mid-2023. That write-up should beryllium useful for IT defenders: it specifications mitigations, advice, and indicators of discuss to look retired for.

The Google-owned threat intel patient tracks Scattered Spider arsenic UNC3944. Its comments connected nan crime pack are important because Mandiant is 1 nan apical incident consequence teams called successful to cleanable up nan messes made by specified high-profile intruders.

"These changes successful their extremity goals awesome that nan industries targeted by UNC3944 will proceed to expand," nan study says. "Mandiant has already straight observed their targeting broaden beyond telecommunication and business process outsourcer (BPO) companies to a wide scope of industries including hospitality, retail, media and entertainment, and financial services."

Scattered Spider, which has been astir for astir 2 years, is simply a US-UK-based Lapsus$-like gang that specializes successful SMS phishing and phone-based societal engineering that it uses to bargain login credentials belonging to labor of targeted organizations aliases different yet sneak into IT networks of its targets without permission.

In 1 of nan group's first awesome phishing campaigns successful 2022, dubbed Oktapus, nan criminals initially went aft labor of Okta customers, targeting arsenic galore arsenic 135 orgs — IT, package improvement and unreality services providers based successful nan US.

First, Scattered Spider sent matter messages to nan labor pinch malicious links to sites spoofing their company's authentication page. This allowed nan pack to bargain immoderate 9,931 personification credentials and 5,441 multi-factor authentication codes, we're told.

Just past month, nan unit targeted more Okta customers, this clip putting successful telephone calls to nan victims' IT work desks to instrumentality support workers into changing nan passwords and/or obtaining aliases resetting multi-factor authentication (MFA) codes for labor pinch precocious privileges, allowing nan miscreants to summation entree to those people's valuable accounts.

Gone phishing

Mandiant said it has identified 3 different phishing kits utilized by Scattered Spider. One, named "Eightbait" that was wide utilized betwixt precocious 2021 and mid-2022, tin nonstop harvested credentials to attacker-controlled Telegram transmission and deploy remote-desktop instrumentality AnyDesk to a victim's system.

Then, opening successful nan 3rd 4th of 2022, Mandiant said Scattered Spider began utilizing a caller kit that it built utilizing scraped copies of targeted companies' authentication page. "Notably, this kit has been utilized successful immoderate of nan caller intrusions that led to extortion attempts," nan threat intel squad said.

  • Caesars says cyber-crooks stole customer information arsenic MGM casino outage drags on
  • MGM Resorts shuts down website, machine systems aft 'cybersecurity incident'
  • More Okta customers trapped successful Scattered Spider's web
  • FYI: There's different BlackCat ransomware version connected nan prowl

Finally, successful mid-2023, a 3rd phishing kit emerged that Mandiant says nan unit uses successful parallel pinch nan 2nd iteration. Both are similar, but "minor changes to nan kit's codification propose that nan taxable utilized by nan 2nd kit was astir apt retrofitted into a caller tool," according to Mandiant.

Once nan pack has surgery in, Scatter Spider uses legit mundane package to research and show nan network, and spends a bully woody of clip hunting for thing to thief escalate privileges and support persistence successful its victims' IT environments. Mandiant elaborate 2 examples successful its write-up:

The unit has besides tried to vacuum up credentials stored successful backstage GitHub repositories utilizing publically disposable tools, specified arsenic specified arsenic Trufflehog and GitGuardian, and successful astatine slightest 1 lawsuit it utilized unfastened root Azure penetration-testing instrumentality MicroBurst to bargain credentials from an Azure tenant.

Scattered Spider has besides utilized infostealers specified arsenic Ultraknot and different information miners including Vidar and Atomoic to bargain credentials, we're told.

Moving into ransomware

Earlier this year, nan unit began deploying ransomware successful victims' environments, signaling a displacement successful their extortion attacks. Scattered Spider reportedly utilized this maneuver successful nan caller MGM Resorts intrusion. The pack claimed to person encrypted much than 100 ESXi hypervisors successful that attack, and according to Mandiant nan unit is an ALPHV affiliate.

ALPHV, besides known arsenic BlackCat, is simply a ransomware-as-a-service (RaaS) cognition that rents its malware retired to different criminals for illustration Scattered Spider.

"ALPHV operates arsenic a RaaS and we person observed UNC3944 deploy this ransomware," Mandiant's threat intel squad told The Register. "In these partnerships, nan operators of nan ransomware will typically supply builds to its affiliates to administer on pinch different related support services specified arsenic infrastructure that allows easy guidance of victims and extortion support (e.g. DDoS)."

And, we're told, nan phishing-turned-ransomware pack is improbable to extremity there. As Mandiant noted successful its blog: "We expect that intrusions related to UNC3944 will proceed to impact divers tools, techniques, and monetization strategies arsenic nan actors place caller partners and move betwixt different communities." ®