This article is more than 1 year old

Scattered Spider traps 100+ victims in its web as it moves into ransomware

Mandiant warns casino raiders are doubling down on 'monetization strategies'

Scattered Spider, the crew behind at least one of the recent Las Vegas casino IT security breaches, has already hit some 100 organizations during its so-far brief tenure in the cybercrime scene, according to Mandiant.

Further, as also witnessed in the ongoing MGM Resorts network outage, the gang, known for its social-engineering-based attacks, is now throwing data-stealing ransomware at victims, too.

In its analysis this week into Scattered Spider's evolving tactics, Mandiant says the "expansion in the group's monetization strategies" began in mid-2023. That write-up should be useful for IT defenders: it details mitigations, advice, and indicators of compromise to look out for.

The Google-owned threat intel firm tracks Scattered Spider as UNC3944. Its comments on the crime gang are significant because Mandiant is one the top incident response teams called in to clean up the messes made by such high-profile intruders.

"These changes in their end goals signal that the industries targeted by UNC3944 will continue to expand," the analysis says. "Mandiant has already directly observed their targeting broaden beyond telecommunication and business process outsourcer (BPO) companies to a wide range of industries including hospitality, retail, media and entertainment, and financial services."

Scattered Spider, which has been around for about two years, is a US-UK-based Lapsus$-like gang that specializes in SMS phishing and phone-based social engineering that it uses to steal login credentials belonging to employees of targeted organizations or otherwise ultimately sneak into IT networks of its targets without permission.

In one of the group's first major phishing campaigns in 2022, dubbed Oktapus, the criminals initially went after employees of Okta customers, targeting as many as 135 orgs — IT, software development and cloud services providers based in the US.

First, Scattered Spider sent text messages to the employees with malicious links to sites spoofing their company's authentication page. This allowed the gang to steal some 9,931 user credentials and 5,441 multi-factor authentication codes, we're told.

Just last month, the crew targeted more Okta customers, this time putting in phone calls to the victims' IT service desks to trick support workers into changing the passwords and/or obtaining or resetting multi-factor authentication (MFA) codes for employees with high privileges, allowing the miscreants to gain access to those people's valuable accounts.

Gone phishing

Mandiant said it has identified three different phishing kits used by Scattered Spider. One, named "Eightbait" that was widely used between late 2021 and mid-2022, can send harvested credentials to attacker-controlled Telegram channel and deploy remote-desktop tool AnyDesk to a victim's system.

Then, beginning in the third quarter of 2022, Mandiant said Scattered Spider began using a new kit that it built using scraped copies of targeted companies' authentication page. "Notably, this kit has been used in some of the recent intrusions that led to extortion attempts," the threat intel team said.

Finally, in mid-2023, a third phishing kit emerged that Mandiant says the crew uses in parallel with the second iteration. Both are similar, but "minor changes to the kit's code suggest that the theme used by the second kit was probably retrofitted into a new tool," according to Mandiant.

Once the gang has broken in, Scatter Spider uses legit everyday software to explore and monitor the network, and spends a good deal of time hunting for anything to help escalate privileges and maintain persistence in its victims' IT environments. Mandiant detailed two examples in its write-up:

In one incident UNC3944 was able to export the data from the victim's HashiCorp Vault by using a copy of the Vault client, which the threat actors downloaded from the official HashiCorp site. They successfully exported the credentials from the HashiCorp Vault and authenticated to a file server with a domain admin account. In another incident UNC3944 installed a PowerShell module for the CyberArk API, enabling them to dump credentials from the vault server.

The crew has also tried to vacuum up credentials stored in private GitHub repositories using publicly available tools, such as such as Trufflehog and GitGuardian, and in at least one case it used open source Azure penetration-testing tool MicroBurst to steal credentials from an Azure tenant.

Scattered Spider has also used infostealers such as Ultraknot and other data miners including Vidar and Atomoic to steal credentials, we're told.

Moving into ransomware

Earlier this year, the crew began deploying ransomware in victims' environments, signaling a shift in their extortion attacks. Scattered Spider reportedly used this tactic in the recent MGM Resorts intrusion. The gang claimed to have encrypted more than 100 ESXi hypervisors in that attack, and according to Mandiant the crew is an ALPHV affiliate.

ALPHV, also known as BlackCat, is a ransomware-as-a-service (RaaS) operation that rents its malware out to other criminals like Scattered Spider.

"ALPHV operates as a RaaS and we have observed UNC3944 deploy this ransomware," Mandiant's threat intel team told The Register. "In these partnerships, the operators of the ransomware will typically provide builds to its affiliates to distribute along with other related support services such as infrastructure that allows easy management of victims and extortion support (e.g. DDoS)."

And, we're told, the phishing-turned-ransomware gang is unlikely to stop there. As Mandiant noted in its blog: "We anticipate that intrusions related to UNC3944 will continue to involve diverse tools, techniques, and monetization tactics as the actors identify new partners and switch between different communities." ®

More about

TIP US OFF

Send us news


Other stories you might like