FBI Shares Tactics & Techniques Used by Scattered Spider Hacker Group

In recent months, the Scattered Spider hacking group (aka Starfraud, UNC3944, Scatter Swine, and Muddled Libra) has made news for allegedly attacking the following casino giants:-

The FBI and CISA recently issued a joint Cybersecurity Advisory (CSA) on Scattered Spider threat actors targeting commercial facilities.

FBI Tactics & Techniques

The recent advisory from the FBI and CISA reveals recent TTPs from November 2023 by Scattered Spider, a sophisticated hacker group targeting large companies. 

While this threat group, Scattered Spider, is known for data theft and BlackCat/ALPHV ransomware use, the agencies urge critical infrastructure organizations to implement recommended mitigations.

Besides this, the Scattered Spider hacker group is an expert in social engineering and uses multiple social engineering techniques like:- 

  • Phishing attacks
  • Push bombing attacks
  • Subscriber identity module (SIM) swap attacks

With the help of these attacks, they obtain credentials and then install remote access tools on the targeted system to bypass Multi-Factor Authentication (MFA).

FBI notes Scattered Spider using legitimate remote access tools post-network access. 

The advisory reflects the U.S. government’s push against ransomware gangs, urging more victims to step forward for enhanced collective information to identify and counter threats.

TTPs used

Here below, we have mentioned all the TTPs that the Scattered Spider hacker group uses:-

Tools Used:

  • Fleetdeck.io – Enables remote monitoring and management of systems.
  • Level.io – Enables remote monitoring and management of systems.
  • Mimikatz [S0002] – Extracts credentials from a system.
  • Ngrok [S0508] – Enables remote access to a local web server by tunneling over the internet.
  • Pulseway – Enables remote monitoring and management of systems.
  • Screenconnect – Enables remote connections to network devices for management.
  • Splashtop – Enables remote connections to network devices for management.
  • Tactical.RMM – Enables remote monitoring and management of systems.
  • Tailscale – Provides virtual private networks (VPNs) to secure network communications.
  • Teamviewer – Enables remote connections to network devices for management.

Malware used:

  • AveMaria (also known as WarZone [S0670]) – Enables remote access to a victim’s systems.
  • Raccoon Stealer – Steals information including login credentials [TA0006], browser history [T1217], cookies [T1539], and other data.
  • VIDAR Stealer – Steals information including login credentials, browser history,
  • cookies, and other data.

Domains used:

  • victimname-sso[.]com
  • victimname-servicedesk[.]com
  • victimname-okta[.]com

Tactics & Techniques used:

Reconnaissance & Resource Development

Reconnaissance & Resource Development (Source - CISA)
Reconnaissance & Resource Development (Source – CISA)

Initial Access & Execution

Initial Access & Execution (Source - CISA)
Initial Access & Execution (Source – CISA)

Persistence, Privilege Escalation, & Defense Evasion

Persistence, Privilege Escalation, & Defense Evasion (Source - CISA)
Persistence, Privilege Escalation, & Defense Evasion (Source – CISA)

Credential Access & Discovery

Credential Access & Discovery (Source - CISA)
Credential Access & Discovery (Source – CISA)

Lateral Movement & Collection

Lateral Movement & Collection (Source - CISA)
Lateral Movement & Collection (Source – CISA)

Command and Control, Exfiltration, and impact

Command and Control, Exfiltration, & Impact (Source - CISA)
Command and Control, Exfiltration, & Impact (Source – CISA)

Recommendations

Here below, we have mentioned all the recommendations provided by the cybersecurity researchers:-

  • Implement application controls.
  • Reduce the threat of malicious actors.
  • Implementing FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA.
  • Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services.
  • Implement a recovery plan.
  • Maintain offline backups of data.
  • Require all accounts with password logins ) to comply with NIST’s standards for developing and managing password policies.
  • Require phishing-resistant multifactor authentication (MFA).
  • Keep all operating systems, software, and firmware up to date.
  • Segment networks.
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
  • Install, regularly update, and enable real-time detection for antivirus software on all hosts.
  • Disable unused ports and protocols.
  • Consider adding an email banner to emails.
  • Disable hyperlinks.
  • Ensure all backup data is encrypted and immutable.

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.