In response to increased attacks on commercial facilities, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory (CSA) on Scattered Spider.
The CSA includes tactics, techniques, and procedures (TTPs) Scatter Spider is known to use as recently as November 2023, as well as measures organizations can take to mitigate the risk posed by this threat actor.
Scattered Spider, also called 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks.
While the group mainly relies on phishing, multi-factor authentication (MFA) bombing (targeted MFA fatigue), and SIM swapping, it's also known to violently threaten and/or social engineer network administrators to provide initial access. After gaining a foothold on the target network, Scattered Spider employs a wide range of publicly available software tools for reconnaissance and lateral movement.
It has also been observed deploying WarZone RAT, Raccoon Stealer, and Vidar Stealer malware to harvest login credentials, cookies, and other sensitive data from compromised devices. Recently, at least one Scattered Spider affiliate was observed deploying ALPHV/BlackCat ransomware and using BlackCat’s TOR leak site to facilitate payment from the victim.
Adding to Scattered Spider’s boldness, the threat actor is known to join incident remediation and response calls, likely to understand how security teams are hunting them to then proactively develop new avenues of intrusion.
Given Scattered Spider’s boldness and history of high-profile attacks on prominent organizations such as Okta, MGM and Caesars casinos, MailChimp, Twilio, DoorDash, and Riot Games, it’s not surprising the FBI/CISA issued a CSA to help counter the threat this group poses.
Unfortunately, Scattered Spider’s wide range of TTPs make it a difficult threat to defend against.
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threat actors like Scattered Spider. This research contributes to the timely deployment of signatures into Covalence, our flagship security solution, to detect and mitigate the risk posed by threat actors. Covalence users are automatically notified when known TTPs of threat actors are detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect encourages users to familiarize themselves with this CSA and to adhere to the mitigative strategies contained within. Additionally, Field Effect recommends that organizations make users aware of social engineering and phishing techniques and encourage them to report any incidents to IT administrators as soon as possible.