Experts Suspect Scattered Spider Is Behind Rash of Recent Insurer Breaches
Aflac, the largest U.S. provider of supplemental health insurance, says it’s the latest victim of a coordinated campaign targeting insurance companies in recent weeks. Threat researchers say the attacks could be linked to a single cybercrime group.
See Also: SASE and Zero Trust: The Backbone of Integrated Security (eBook)
“This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group. This was part of a cybercrime campaign against the insurance industry,” Aflac said in an U.S. Securities and Exchange Commission filing and public statement about the incident discovered on June 12. Aflac said the incident did not involve ransomware encryption of its IT systems, but did potentially compromise data.
Some experts said recent attacks on Aflac and two Pennsylvania-based insurers have all the hallmarks of cybercrime gang Scattered Spider.
“There are credible details we’ve seen privately and publicly that indicate Scattered Spider has shifted to targeting the insurance industry once again,” said Zach Edwards, threat researcher at security firm Silent Push.
“We believe all companies in this sector should be aware of this targeting and preparing for potential attacks. Last time this sector was targeted, we saw at least 12 companies in the sector under their crosshairs.”
Aflac’s disclosure comes on the heels of attacks on least two other large U.S. insurers since June 8 – including Erie Indemnity Co. – which does business as Erie Insurance, and Philadelphia Insurance Companies. Both companies are also continuing to recover from their incidents (see: Two Insurers Say Ongoing Outages Not Ransomware Based).
Like Aflac, those insurers also publicly stated that their incidents – which each involved IT outages as the companies work to contain the intrusions – did not involve ransomware encryption.
While neither Aflac nor the other insurers have publicly named the cybercrime groups believed to behind their attacks, some security experts are pointing the finger at Scattered Spider because the characteristics of the incidents are consistent with the gang’s attacks.
Scattered Spider is also believed to be behind the recent wave of attacks against retailers, including Marks & Spencer, Co-op and Harrods in the U.K. (see: Retail Sector in Scattered Spider Crosshairs).
“Scattered Spider actors focus on targets with high-value data and low tolerance for downtime, often focusing on multiple targets in a particular industry before shifting to targets in a new industry,” said Cynthia Kaiser, senior vice president of security firm Halcyon’s ransomware research center.
Halcyon in a new report said Scattered Spider uses advanced social engineering-fueled phishing tactics engineered to penetrate hybrid environments, spanning on-premises systems, cloud services and virtual hosts.
Other indications of Scattered Spider include “stealthy privilege escalation and persistence.” That includes abuse of Active Directory certificate services, signed vulnerable drivers, credential dumping and single sign on/service accounts to secure system-level access that survives password resets, Halcyon said.
Many of the attacks involve double-extortion and environment-wide disruption: “Within hours, the attackers exfiltrate sensitive data before deploying DragonForce, Qilin, Akira or Play ransomware,” Halcyon said.
Additionally, the gang deploys tools such as AnyDesk, Ngrok and Fleetdeck to maintain covert, persistent connectivity across environments remotely, Halcyon said.
While Scattered Spider is suspected in the attacks, all of three insurance companies said ransomware encryption was not involved. “It’s very possible that the attacks were disrupted before they had successfully deployed ransomware, but it’s also possible that Scattered Spider has continued to evolve their attack strategies,” Edwards said.
“Some ransomware groups have been known to exfiltrate data instead, choosing not to try encryption or locking down of resources, and merely try to blackmail companies for payments based on the threat of exposing their private information,” he said.
Also, “it is important to note that not every Scattered Spider attack includes encrypting systems,” Kaiser said. “While they have partnered with various ransomware groups, their campaigns really center around data theft, extortion and reselling initial access.”
Until additional details are made public, companies targeted by Scattered Spider should assume that there may be many ways the group will try to monetize its access that might not be inherently destructive, Edwards said.
“Currently, however, their initial attacks are focused on targeting customer support and help desks, and so following the principle of hardening the perceived ‘weakest link in the chain’ remains a recommended strategy to help prevent follow-on attacks from occurring.”
In its statement, Aflac said it identified suspicious activity on its network in the U.S. on June 12 and “promptly initiated our cyber incident response protocols and stopped the intrusion within hours. Importantly, our business remains operational and our systems were not affected by ransomware.”
As it works with third-party cyber experts in responding to the incident, the company said it continues to serve customers, including underwriting policies and reviewing claims.
“While the investigation remains in its early stages, in the spirit of transparency and care for our customers, we are sharing that our preliminary findings indicate that the unauthorized party used social engineering tactics to gain access to our network,” Aflac said.
The company also has started a review of potentially affected files.
“It is important to note that the review is in its early stages, and we are unable to determine the total number of affected individuals until that review is completed.” Aflac says it has more than 50 million customers worldwide including market-leading businesses in the United States and Japan. Aflac is the leading provider of medical and cancer insurance in Japan, insuring one in four households
The potentially compromised files contain claims information, health information, Social Security numbers and other personal information related to customers, beneficiaries, employees, agents and other individuals in the company’s U.S. business, Aflac said.
As the company continues its review of potentially affected information, Aflac is offering individuals who contacts its dedicated callcenter free credit monitoring and identity theft protection, and Medical Shield for 24 months.
Aflac did not immediately respond to Information Security Media Group’s request for additional details about the incident.
Click Here For The Original Source.
