The FBI and a host of international cyber and law enforcement agencies on Tuesday warned that Scattered Spider extortionists have changed their tactics and are now breaking into victims’ networks using savvier social engineering techniques, searching for organizations’ Snowflake database credentials, and deploying a handful of new ransomware variants, most recently DragonForce.
As we’ve seen in the gang’s most recent spate of digital intrusions — first targeting retailers before moving on to insurance companies and the aviation sector — the digital crooks pose as employees locked out of their accounts to convince helpdesk workers to provide sensitive information such as login credentials, reset the employee’s password, or transfer the employee’s multi-factor authentication to a device controlled by the org.
But while some of the cybercrime crew’s tactics, techniques, and procedures remain consistent, they often change them to remain undetected, the joint advisory says. “The authoring organizations encourage critical infrastructure organizations and commercial facilities to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Scattered Spider malicious activity.”
Now, Scattered Spider has also added legitimate software, including Teleport and AnyDesk for remote access to local systems and network devices, to its repetoire, as well as a couple of new malwares, the report warned.
These include RattyRAT, a Java-based remote access trojan used for long-term, stealthy access and internal reconnaissance. The miscreants’ ransomware du jour is DragonForce, according to the feds. This is the variant Scattered Spider used to infect US and UK retailers earlier this spring.
The criminals don’t always deploy ransomware, however. Sometimes after gaining initial access to victim’s IT systems, Scattered Spider goes straight to data theft, skipping encryption altogether, exfiltrating sensitive files, and then threatening to release them if the victim company doesn’t pay a hefty sum.
“Recently, this includes exfiltration to multiple sites including MEGA[.]NZ and US-based data centers such as Amazon S3,” the FBI noted.
The security bulletin also lists some new domains used by the crew: typically the targeted organization’s name appended with either a -helpdesk or a type of single sign-on service to make it appear more legit. Lately, these include:
- targetsname-cms[.]com
- targetsname-helpdesk[.]com
- oktalogin-targetcompany[.]com
“In many instances, Scattered Spider threat actors search for a targeted organization’s Snowflake access to exfiltrate large volumes of data in a short time, often running thousands of queries immediately,” the joint security bulletin said. “According to trusted third parties, where more recent incidents are concerned, Scattered Spider threat actors may have deployed DragonForce ransomware onto targeted organizations’ networks — thereby encrypting VMware Elastic Sky X integrated (ESXi) servers.”
This echoes a recent technical write-up from Google’s Mandiant Incident Response team, which noted Scattered Spider — Google tracks this crew as UNC3944 — increasingly targeting victims’ ESXi hypervisor layer once they break in. Plus, they do this extremely quickly, which makes the threat they pose more dangerous.
“While traditional actors may have a dwell time of days or even weeks for reconnaissance, UNC3944 operates with extreme velocity; the entire attack chain from initial access to data exfiltration and final ransomware deployment can occur in mere hours,” according to the Mandiant report.
The good news, according to Mandiant Consulting CTO Charles Carmakal, is that the recent Scattered Spider arrests seem to have sent other gang members scurrying into the dark corners of the internet.
“Since the recent arrests tied to the alleged Scattered Spider (UNC3944) members in the UK, Mandiant Consulting hasn’t observed any new intrusions directly attributable to this specific threat actor,” Carmakal told The Register. “This presents a critical window of opportunity that organizations must capitalize on to thoroughly study the tactics UNC3944 wielded so effectively, assess their systems, and reinforce their security posture accordingly.”
Still, it’s worth noting that law enforcement arrested at least seven Scattered Spider members last year, which slowed their attacks for a while until they roared back into action with several high-profile retail digital heists in April.
“It’s crucial that organizations don’t let their guard down entirely,” Carmakal said. “We are actively seeing other threat actors, like UNC6040, successfully employing similar social engineering tactics as UNC3944. While one group may be temporarily dormant, others won’t relent.”
The agencies also suggest three things organizations can do right now to protect themselves from these pests and others like them.
First, the FBI and friends want companies to maintain offline backups of sensitive data, and store it separately from source systems. This can help recover business operations if your files are locked up in a ransomware attack or stolen by extortionists.
Second, turn on, and then enforce, phishing-resistant multifactor authentication (MFA). Finally, implement application controls to manage software execution.
In addition to the FBI and Cybersecurity and Infrastructure Security Agency (CISA) in the US, the report also counted the Royal Canadian Mounted Police, Australian Signals Directorate’s Australian Cyber Security Centre, Australian Federal Police, Canadian Centre for Cyber Security, and UK’s National Cyber Security Centre among its authors.®
Click Here For The Original Source.
