US cybersecurity and intelligence agencies have issued a joint advisory about a cybercriminal group known as Scattered Spider which are known to use sophisticated phishing tactics to infiltrate targets.
“Dispersed Spider threat actors often engage in data theft for extortion using multiple social engineering techniques and have recently used BlackCat/ALPHV ransomware alongside their usual TTPs,” the agencies SAYS.
The threat actor, also tracked under the monikers Muddled Libra, Octo Tempest, 0ktapus, Scatter Swine, Star Fraud, and UNC3944, was the subject of an extensive profile from Microsoft last month, with tech giant calling it “one of the most dangerous. financial criminal groups.”
Considered experts in social engineering, Scattered Spider is known to rely on phishing, speed bombing, and SIM swapping attacks to obtain credentials, install remote access tools, and bypass in multi-factor authentication (MFA).
Scattered Spiders, like LAPSUS$, are said to be part of a larger one Gen Z cybercrime ecosystem who refers to himself as the Com (alternate spelling Comm revealed), who resorted to violent activity and flowering attacks.
A report from Reuters earlier this week exposed that the US Federal Bureau of Investigation (FBI) knows the identities of at least a dozen members of the cybercrime gang.
One of the famous tricks in its arsenal is to impersonate IT and help desk staff use phone calls or SMS messages to target employees and gain elevated access to networks.
Successful initial access was followed by the deployment of legitimate remote access tunneling tools such as Fleetdeck.io, Ngrok, and Pulseway, as well as remote access trojans and thieves such as AveMaria (aka Warzone RAT), Raccoon Stealer, and Vidar Stealer.
In addition, English-speaking extortion crews use live-off-the-land (LotL) techniques to find compromises and navigate compromised networks with the goal of stealing sensitive information in exchange in payment.
“Threat actors often participate in incident remediation and response calls and teleconferences, tend to know how security teams are looking for them and actively develop new attack methods in response to those defense of the victim,” said the agencies.
Until mid-2023, Scattered Spider also operated as an affiliate of the BlackCat ransomware gang, monetizing its access to victims for extortion-enabled ransomware and data theft.
The US government encourages companies to implement phishing-resistant MFA, implement a recovery plan, maintain offline backups, and adopt application controls to prevent the execution of unauthorized software on endpoints.