November 16, 2023 at 04:56PM
The FBI and CISA have released an advisory on the threat actor known as Scattered Spider. They collaborate with the ALPHV/BlackCat Russian ransomware operation and use social engineering, phishing, and SIM swapping to gain network access. The group consists of young English-speaking members and is known to target large organizations. The FBI knows the identities of some members but has not made any arrests. Mitigations include implementing application controls, monitoring remote access tools, and maintaining backups. Organizations are advised to follow NIST standards for passwords and test their security controls.
Key Takeaways from Meeting Notes:
1. Scattered Spider is a loosely knit hacking collective that collaborates with the ALPHV/BlackCat Russian ransomware operation. They are skilled at social engineering, phishing, MFA fatigue attacks, and SIM swapping to gain initial network access.
2. The group consists of young English-speaking members with diverse skill sets who frequent hacker forums and Telegram channels. Some members are also believed to be part of a loose-knit community involved in cyber incidents and violent acts.
3. Scattered Spider is not a cohesive gang but a network of individuals, making it difficult to track. However, the FBI knows the identities of at least 12 members but none have been indicted or arrested yet.
4. The group has been involved in high-profile attacks on various organizations, including MGM Casino and Caesars Entertainment. They have used the BlackCat/ALPHV locker to encrypt systems and have targeted companies like MailChimp, Twilio, DoorDash, and Riot Games in the past.
5. Scattered Spider uses a range of tools and tactics, including remote system monitoring and management, credential extraction, remote web server access, and network device remote connection management. They also conduct phishing attacks to install malware like WarZone RAT, Raccoon Stealer, and Vidar Stealer.
6. A new tactic observed in their recent attacks is data exfiltration and file encryption using the ALPHV/BlackCat ransomware. They communicate with victims via messaging apps or email to negotiate ransom payments.
7. Scattered Spider shows particular interest in valuable assets like source code repositories, code-signing certificates, and credential storage. They closely monitor victims’ Slack channels, Microsoft Teams, and Microsoft Exchange emails.
8. Mitigations recommended by the FBI and CISA include implementing application controls and software execution management, deploying phishing-resistant MFA, securing and limiting RDP usage, maintaining offline backups, following strong password practices, regularly patching vulnerabilities, implementing network segmentation, using network monitoring and EDR tools, enhancing email security, and testing security controls against MITRE ATT&CK techniques.