The group of threat actors claiming responsibility for major attacks against MGM Resorts, Caesars Entertainment and Clorox is composed of experts in social engineering, and federal cyber authorities are prodding more victims to come forward.
Scattered Spider, which deploys AlphV ransomware in some of its attacks, uses multiple techniques and tools to gain remote access or bypass multifactor authentication, federal cyber authorities warned in a Thursday advisory.
The FBI and Cybersecurity and Infrastructure Security Agency shared technical details and data gleaned from investigations as recently as this month to help organizations thwart and mitigate attacks. Yet, officials say more information is needed, as a lack of reporting hinders law enforcement’s ability to take action.
Scattered Spider’s high level of activity underscores the importance of prevention and the need for more victim organizations to report cyberattacks to CISA or the FBI, agency officials said.
“If we don’t get detailed, timely and accurate information as to these intrusions, we are not able to take actions on those,” a senior FBI official said Thursday in a media briefing. “The more data that we have coming in, the better we’re able to make those connections and execute actions against those actors.”
Catching the criminals behind Scattered Spider requires more information so law enforcement can identify a mistake that ultimately leads to a takedown, disruption or arrests, according to cybersecurity experts.
These attacks are complex, which makes it difficult, even for government agencies, to collect forensic evidence, said Allan Liska, threat intelligence analyst at Recorded Future.
“Scattered Spider is very skilled, but even the most skilled actors make mistakes,” Liska said. “The more data government agencies can collect from incidents the more likely they are to find those mistakes and arrest the members of Scattered Spider.”
Combination of social, technical skills
The FBI said it recently observed Scattered Spider threat actors encrypting files after exfiltration. The group often intrudes networks of large companies using broad phishing campaigns with victim-specific domains designed to look like legitimate portals for single sign-on services, such as Okta, or IT service desks.
After the threat group identifies credentials of the most valuable users inside the victim organization and conducts SIM swaps, it convinces IT help desk personnel to reset passwords or MFA tokens to takeover users’ single sign-on accounts.
The joint advisory from CISA and the FBI includes one of the more in-depth and comprehensive lists of tactics, techniques and procedures (TTP) and indicators of compromises (IOC) on a ransomware operation to date, according to Chester Wisniewski, director and global field CTO at Sophos.
The group stands out for the number of tools and combinations with which they are used to persistently target victims, Wisniewski said.
“The lesson I take away when I look at Scattered Spider is will Scattered Spider get into my network if they target me? Probably,” Wisniewski said. “They are persistent, they’re tenacious and they’re very creative in their approach. They’re using combinations of social and technical skills.”
Microsoft Threat Intelligence last month described the group, which it identifies as Octo Tempest, as “one of the most dangerous financial criminal groups” currently in operation.
Scattered Spider threat actors used living-off-the-land techniques to evade detection, at least 10 legitimate tools, three malware variants and 42 tactics and techniques across attacks observed by or reported to federal cyber authorities.
Scattered Spider gained access to one victim’s network within the last couple weeks via MFA, but the organization quickly identified malicious activity via logs and successfully kicked the threat actor out of its network, a senior FBI official said.
Oftentimes, officials get a break in cybercriminal cases when threat actors commit an operational error.
“Anytime you have a group of people running roughshod the way these guys have been through peoples’ networks, they’re going to make mistakes," Wisniewski said.
The FBI declined to share details about its ongoing investigation into Scattered Spider’s activities, affiliations or the whereabouts of individuals involved.
“Just because you don’t see actions being taken, it doesn't mean that there aren’t actions that are being taken,” a senior FBI official said. “It is a significant effort on our part to address them and we’re putting significant resources against it.”