Identity, Ransomware, Threat Intelligence, Phishing, Cloud Security, Data Security

Scattered Spider’s latest TTPs added to updated CISA joint advisory

Scattered Spider is adopting new tactics and tools outlined in an updated joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and partners published Tuesday.

New ransomware use, abuse of Snowflake cloud access and updated social-engineering methodology were among the additions to the advisory, which was originally published in November 2023.

“As security teams harden identity flows and respond to previously documented tactics, the group adapts, pivoting toward virtualized infrastructure (especially ESXi and Azure Virtual Desktop) and blending cloud and on-prem access to complete their mission,” Permiso Chief Technology Officer Ian Ahl told SC Media in an email. “We’ve seen them deploy ransomware directly against virtual infrastructure, adding pressure beyond extortion alone.”

The latest advisory is co-authored by CISA, the Federal Bureau of Investigation (FBI), Royal Canadian Mounted Police (RCMP), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Australian Federal Police (AFP), Canadian Centre for Cyber Security (CCCS) and the United Kingdom’s National Cybersecurity Centre (NCSC-UK).

Scattered Spider uses data theft and extortion, as well as ransomware deployment, in its financially motivated attacks. The group was behind the high-profile MGM International and Caesars Entertainment attacks in 2023, when it deployed ransomware from the now-defunct ALPHV/BlackCat ransomware-as-a-service (RaaS) gang.

The group is now believed to be using DragonForce ransomware in its attacks, according to the advisory, enabling it to encrypt VMware ESXi servers. Previous reports suggest a partnership between Scattered Spider and DragonForce was involved in recent attacks on UK retailers Marks & Spencer, Harrods and The Co-op.

Scattered Spider heavily uses social engineering as an initial attack vector, historically leveraging impersonation of IT or helpdesk staff, voice phishing, SMS phishing and use of remote access tools, as well as multi-factor authentication (MFA) “push bombing” and SIM swapping to steal credentials and gain access.

More recently, Scattered Spider has been posing as employees and reaching out to organizations’ IT and helpdesk staff requesting password resets, MFA device transfers and sensitive information as an additional access vector, the updated advisory notes.

“They’re skipping phishing entirely in many cases and going straight to impersonating employees over the phone. And they’re good at it; armed with enough context to sound convincingly like a real use, they’re able to persuade help desks into transferring and resetting MFA tokens. This approach bypasses technical controls by targeting human ones,” Ahl noted.

In addition to the DragonForce ransomware, Scattered Spider has also adopted the use a malicious remote access trojan called RattyRAT to help establish persistence, maintain stealth and perform reconnaissance on target machines.

The group has further begun misusing the legitimate tools Teleport.sh and AnyDesk to facilitate remote access, in addition to tools such as Fleetdeck.io, ScreenConnect, Splashtop and TeamViewer that it has been known to use in the past.

For data exfiltration, Scattered Spider has recently targeted organizations’ Snowflake access to enable them to exfiltrate large volumes of data at once and has been observed exfiltrating data to the storage services mega.nz and Amazon S3 in recent cases.

In the past, Scattered Spider has been known to monitor an organization’s response to their intrusion, including by searching environments’ communication channels for conversations about security responses and even joining calls and teleconferences related to the cyber incident to identify how the target is responding.

Researchers have further found that the group will bolster their persistence and ability to track an organization’s response without detection by creating new identities in the victim’s environment and creating fake social media profiles to reduce suspicion about these fake identities.

The group also uses proxy networks and rotates machine names to further evade an organization’s security response, according to the updated advisory.

CISA and partners continue to recommend organizations prioritize implementing application controls, monitoring and restricting the use of remote access tools and using phishing-proof MFA methods like FIDO to mitigate intrusions by Scattered Spider and similar threat actors.

A new recommended mitigation in the latest update is to enhance monitoring for account misuse such as suspicious sign-ins and sign-in attempts that could indicate malicious activity.

“Despite all the tactical shifts, the high-level mission remains unchanged,” Ahn concluded, noting that Scattered Spider consistently follows three main steps: using identity for initial access, leveraging both malicious and legitimate tools to map organizations and identify target systems, and exploiting both cloud and on-promises paths to do the most damage.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Account HarvestingDNS SpoofingDigital SignatureDigital Signature Standard (DSS)Discretionary Access Control (DAC)DisruptionDrive-by DownloadInformation WarfarePassword CrackingReconnaissance

You can skip this ad in 5 seconds