The Australian Signals Directorate's (ASD) Australian Cyber Security Centre (ACSC) has published an updated advisory about the Scattered Spider cybercriminal group, identifying new tactics and techniques used by the group.
The advisory has been released jointly by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Royal Canadian Mounted Police (RCMP), Australian Federal Police (AFP), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK).
Scattered Spider is a cybercriminal group that targets large companies and their contracted IT help desks. The group has posed as employees to convince IT and/or helpdesk staff to provide sensitive information, reset the employee’s password, and transfer the employee’s MFA to a device they control on separate devices, according to the advisory.
The advisory states that the group's threat actors typically engage in data theft for extortion and also use several ransomware variants, most recently deploying DragonForce ransomware alongside their usual tactics, techniques, and procedures (TTPs).
The FBI has identified that Scattered Spider threat actors may exfiltrate data from targeted organisation’s systems and then encrypt data on the system for ransom. After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with targeted organisations via TOR, Tox, email, or encrypted applications.
Recently, this includes exfiltration to multiple sites including MEGA.NZ and U.S.-based data centers such as Amazon S3.
Now using Snowflake and VMWare to gain access
While Scattered Spider initially began their activity relying upon broad phishing campaigns, the threat actors are now employing more targeted and multilayered spearphishing and vishing operations.
In many instances, the advisory states, Scattered Spider threat actors now search for a targeted organisation’s Snowflake access to exfiltrate large volumes of data in a short time, often running thousands of queries immediately.
Where more recent incidents are concerned, Scattered Spider threat actors may have deployed DragonForce ransomware onto targeted organisations’ networks - thereby encrypting VMware Elastic Sky X integrated (ESXi) servers.
To determine if their activities have been detected and to maintain persistence within the compromised system, Scattered Spider threat actors often search a targeted organisation’s Slack, Microsoft Teams, and Microsoft Exchange Online for emails or conversations regarding the threat actors’ intrusion and any security response.
The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to a targeted organisations’ defenses.
This is sometimes achieved by creating new identities in the environment and is often upheld with fake social media profiles to backstop newly created identities. Scattered Spider threat actors consistently use proxy networks and rotate machine names to further hamper detection and response.
Last month, Google and Palo Alto Networks sounded the alarm over Scattered Spider's interest in the aviation sector.
.png&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
