FBI, CISA warn of Scattered Spider hackers targeting commercial facilities, adopt social engineering techniques

U.S. security agencies released a joint Cybersecurity Advisory (CSA) regarding Scattered Spider, a cybercriminal group that targets commercial facilities sectors and subsectors. Released Thursday, the advisory offers insights into the tactics, techniques, and procedures (TTPs) employed by the group, which have been gathered through recent Federal Bureau of Investigation (FBI) investigations, including those conducted this month. Scattered Spider hackers are known for their involvement in data theft for extortion, utilizing various social engineering techniques. Additionally, they have recently incorporated the use of BlackCat/ALPHV ransomware alongside their usual TTPs.

Also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra, Scattered Spider engages in data extortion and several other criminal activities, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), said in their latest advisory to critical infrastructure organizations. These “threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).” 

News agency Reuters reported Thursday that the FBI has struggled to stop a hyper-aggressive cybercrime gang tormenting corporate America over the last two years, according to nine cybersecurity responders, digital crime experts, and victims.

For more than six months, the report added that the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International and Caesars Entertainment. Dubbed by some security professionals as ‘Scattered Spider,’ the hacking group has been active since 2021 but it grabbed headlines following a series of intrusions at several high-profile American companies.

Citing public reports, the FBI-CISA advisory disclosed that Scattered Spider hackers have been using various tactics to gain unauthorized access to company networks. They have posed as company IT or helpdesk staff through phone calls or SMS messages, tricking employees into sharing their credentials. They have also directed employees to run commercial remote access tools, pretending to be IT staff. 

Another tactic employed by Scattered Spider is convincing cellular carriers to transfer control of a targeted user’s phone number to a SIM card they control. This gives them control over the phone and access to MFA prompts. They have monetized their access to victim networks through methods such as ransomware extortion and data theft. 

Once inside the networks, the FBI has observed Scattered Spider using publicly available and legitimate remote access tunneling tools. The advisory added that “Scattered Spider threat actors have historically evaded detection on target networks by using living-off-the-land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs. Observably, Scattered Spider threat actors have exfiltrated data after gaining access and threatened to release it without deploying ransomware; this includes exfiltration to multiple sites including U.S.-based data centers and MEGA[dot]NZ.” 

FBI has identified Scattered Spider threat actors now encrypting victim files after exfiltration, the guidance disclosed. “After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with victims via TOR, Tox, email, or encrypted applications. Scattered Spider intrusions often begin with broad phishing and smishing attempts against a target using victim-specific crafted domains,” it added. 

In most instances, Scattered Spider threat actors conduct SIM-swapping attacks against users that respond to the phishing/smishing attempt. The threat actors then work to identify the personally identifiable information (PII) of the most valuable users that succumbed to the phishing/smishing, obtaining answers to those users’ security questions. 

After identifying usernames, passwords, PII, and conducting SIM swaps, the threat actors then use social engineering techniques to convince IT help desk personnel to reset passwords and/or MFA tokens to perform account takeovers against the users in single sign-on (SSO) environments.

“Scattered Spider threat actors then register their own MFA tokens after compromising a user’s account to establish persistence. Further, the threat actors add a federated identity provider to the victim’s SSO tenant and activate automatic account linking,” the advisory disclosed. “The threat actors are then able to sign into any account by using a matching SSO account attribute. At this stage, the Scattered Spider threat actors already control the identity provider and then can choose an arbitrary value for this account attribute.” 

As a result, the advisory added that this activity allows the threat actors to perform privileged escalation and continue logging in even when passwords are changed. Additionally, they leverage common endpoint detection and response (EDR) tools installed on the victim networks to take advantage of the tools’ remote-shell capabilities and execute commands that elevate their access. They also deploy remote monitoring and management (RMM) tools to then maintain persistence.

Furthermore, the guidance revealed that “Once persistence is established on a target network, Scattered Spider threat actors often perform discovery, specifically searching for SharePoint sites, credential storage documentation, VMware vCenter infrastructure, backups, and instructions for setting up/logging into Virtual Private Networks (VPN).” 

The advisory detailed that the hackers enumerate the victim’s Active Directory (AD), and perform discovery and exfiltration of the victim’s code repositories, code-signing certificates, and source code. Threat actors activate Amazon Web Services (AWS) Systems Manager Inventory to discover targets for lateral movement, then move to both pre-existing and actor-created Amazon Elastic Compute Cloud (EC2) instances.

“To determine if their activities have been uncovered and maintain persistence, Scattered Spider threat actors often search the victim’s Slack, Microsoft Teams, and Microsoft Exchange Online for emails or conversations regarding the threat actor’s intrusion and any security response,” the advisory revealed. “The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses. This is sometimes achieved by creating new identities in the environment and is often upheld with fake social media profiles to backstop newly created identities.”

FBI and CISA encourage critical infrastructure organizations to maintain offline backups of data; enable and enforce phishing-resistant multi-factor authentication (MFA); and implement application controls to manage and control software execution. The mitigation actions align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). Additionally, the agencies recommend exercising, testing, and validating the organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.