In recent months, the Scattered Spider hacking group (aka Starfraud, UNC3944, Scatter Swine, and Muddled Libra) has made news for allegedly attacking the following casino giants:-
- MGM Resorts
- Caesars Entertainment
The FBI and CISA recently issued a joint Cybersecurity Advisory (CSA) on Scattered Spider threat actors targeting commercial facilities.
FBI Tactics & Techniques
The recent advisory from the FBI and CISA reveals recent TTPs from November 2023 by Scattered Spider, a sophisticated hacker group targeting large companies.
While this threat group, Scattered Spider, is known for data theft and BlackCat/ALPHV ransomware use, the agencies urge critical infrastructure organizations to implement recommended mitigations.
Besides this, the Scattered Spider hacker group is an expert in social engineering and uses multiple social engineering techniques like:-
- Phishing attacks
- Push bombing attacks
- Subscriber identity module (SIM) swap attacks
With the help of these attacks, they obtain credentials and then install remote access tools on the targeted system to bypass Multi-Factor Authentication (MFA).
FBI notes Scattered Spider using legitimate remote access tools post-network access.
The advisory reflects the U.S. government’s push against ransomware gangs, urging more victims to step forward for enhanced collective information to identify and counter threats.
Here below, we have mentioned all the TTPs that the Scattered Spider hacker group uses:-
- Fleetdeck.io – Enables remote monitoring and management of systems.
- Level.io – Enables remote monitoring and management of systems.
- Mimikatz [S0002] – Extracts credentials from a system.
- Ngrok [S0508] – Enables remote access to a local web server by tunneling over the internet.
- Pulseway – Enables remote monitoring and management of systems.
- Screenconnect – Enables remote connections to network devices for management.
- Splashtop – Enables remote connections to network devices for management.
- Tactical.RMM – Enables remote monitoring and management of systems.
- Tailscale – Provides virtual private networks (VPNs) to secure network communications.
- Teamviewer – Enables remote connections to network devices for management.
- AveMaria (also known as WarZone [S0670]) – Enables remote access to a victim’s systems.
- Raccoon Stealer – Steals information including login credentials [TA0006], browser history [T1217], cookies [T1539], and other data.
- VIDAR Stealer – Steals information including login credentials, browser history,
- cookies, and other data.
Tactics & Techniques used:
Reconnaissance & Resource Development
Initial Access & Execution
Persistence, Privilege Escalation, & Defense Evasion
Credential Access & Discovery
Lateral Movement & Collection
Command and Control, Exfiltration, and impact
Here below, we have mentioned all the recommendations provided by the cybersecurity researchers:-
- Implement application controls.
- Reduce the threat of malicious actors.
- Implementing FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA.
- Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services.
- Implement a recovery plan.
- Maintain offline backups of data.
- Require all accounts with password logins ) to comply with NIST’s standards for developing and managing password policies.
- Require phishing-resistant multifactor authentication (MFA).
- Keep all operating systems, software, and firmware up to date.
- Segment networks.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
- Install, regularly update, and enable real-time detection for antivirus software on all hosts.
- Disable unused ports and protocols.
- Consider adding an email banner to emails.
- Disable hyperlinks.
- Ensure all backup data is encrypted and immutable.
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.