Security

Cyber-crime

Scattered Spider traps 100+ victims in its web as it moves into ransomware

Mandiant warns casino raiders are doubling down on 'monetization strategies'


Scattered Spider, the crew behind at least one of the recent Las Vegas casino IT security breaches, has already hit some 100 organizations during its so-far brief tenure in the cybercrime scene, according to Mandiant.

Further, as also witnessed in the ongoing MGM Resorts network outage, the gang, known for its social-engineering-based attacks, is now throwing data-stealing ransomware at victims, too.

In its analysis this week into Scattered Spider's evolving tactics, Mandiant says the "expansion in the group's monetization strategies" began in mid-2023. That write-up should be useful for IT defenders: it details mitigations, advice, and indicators of compromise to look out for.

The Google-owned threat intel firm tracks Scattered Spider as UNC3944. Its comments on the crime gang are significant because Mandiant is one the top incident response teams called in to clean up the messes made by such high-profile intruders.

"These changes in their end goals signal that the industries targeted by UNC3944 will continue to expand," the analysis says. "Mandiant has already directly observed their targeting broaden beyond telecommunication and business process outsourcer (BPO) companies to a wide range of industries including hospitality, retail, media and entertainment, and financial services."

Scattered Spider, which has been around for about two years, is a US-UK-based Lapsus$-like gang that specializes in SMS phishing and phone-based social engineering that it uses to steal login credentials belonging to employees of targeted organizations or otherwise ultimately sneak into IT networks of its targets without permission.

In one of the group's first major phishing campaigns in 2022, dubbed Oktapus, the criminals initially went after employees of Okta customers, targeting as many as 135 orgs — IT, software development and cloud services providers based in the US.

First, Scattered Spider sent text messages to the employees with malicious links to sites spoofing their company's authentication page. This allowed the gang to steal some 9,931 user credentials and 5,441 multi-factor authentication codes, we're told.

Just last month, the crew targeted more Okta customers, this time putting in phone calls to the victims' IT service desks to trick support workers into changing the passwords and/or obtaining or resetting multi-factor authentication (MFA) codes for employees with high privileges, allowing the miscreants to gain access to those people's valuable accounts.

Gone phishing

Mandiant said it has identified three different phishing kits used by Scattered Spider. One, named "Eightbait" that was widely used between late 2021 and mid-2022, can send harvested credentials to attacker-controlled Telegram channel and deploy remote-desktop tool AnyDesk to a victim's system.

Then, beginning in the third quarter of 2022, Mandiant said Scattered Spider began using a new kit that it built using scraped copies of targeted companies' authentication page. "Notably, this kit has been used in some of the recent intrusions that led to extortion attempts," the threat intel team said.

Finally, in mid-2023, a third phishing kit emerged that Mandiant says the crew uses in parallel with the second iteration. Both are similar, but "minor changes to the kit's code suggest that the theme used by the second kit was probably retrofitted into a new tool," according to Mandiant.

Once the gang has broken in, Scatter Spider uses legit everyday software to explore and monitor the network, and spends a good deal of time hunting for anything to help escalate privileges and maintain persistence in its victims' IT environments. Mandiant detailed two examples in its write-up:

In one incident UNC3944 was able to export the data from the victim's HashiCorp Vault by using a copy of the Vault client, which the threat actors downloaded from the official HashiCorp site. They successfully exported the credentials from the HashiCorp Vault and authenticated to a file server with a domain admin account. In another incident UNC3944 installed a PowerShell module for the CyberArk API, enabling them to dump credentials from the vault server.

The crew has also tried to vacuum up credentials stored in private GitHub repositories using publicly available tools, such as such as Trufflehog and GitGuardian, and in at least one case it used open source Azure penetration-testing tool MicroBurst to steal credentials from an Azure tenant.

Scattered Spider has also used infostealers such as Ultraknot and other data miners including Vidar and Atomoic to steal credentials, we're told.

Moving into ransomware

Earlier this year, the crew began deploying ransomware in victims' environments, signaling a shift in their extortion attacks. Scattered Spider reportedly used this tactic in the recent MGM Resorts intrusion. The gang claimed to have encrypted more than 100 ESXi hypervisors in that attack, and according to Mandiant the crew is an ALPHV affiliate.

ALPHV, also known as BlackCat, is a ransomware-as-a-service (RaaS) operation that rents its malware out to other criminals like Scattered Spider.

"ALPHV operates as a RaaS and we have observed UNC3944 deploy this ransomware," Mandiant's threat intel team told The Register. "In these partnerships, the operators of the ransomware will typically provide builds to its affiliates to distribute along with other related support services such as infrastructure that allows easy management of victims and extortion support (e.g. DDoS)."

And, we're told, the phishing-turned-ransomware gang is unlikely to stop there. As Mandiant noted in its blog: "We anticipate that intrusions related to UNC3944 will continue to involve diverse tools, techniques, and monetization tactics as the actors identify new partners and switch between different communities." ®

Send us news
7 Comments

Ransomware gang Trinity joins pile of scumbags targeting healthcare

As if hospitals and clinics didn't have enough to worry about

Ransomware crew infects 100+ orgs monthly with new MedusaLocker variant

Crooks 'like a sysadmin, with a malicious slant'

About a quarter million Comcast subscribers had their data stolen from debt collector

Cable giant says ransomware involved, FBCS keeps schtum

Euro cops arrest 4 including suspected LockBit dev chilling on holiday

And what looks like proof stolen data was never deleted even after ransom paid

NCA unmasks man it suspects is both 'Evil Corp kingpin' and LockBit affiliate

Aleksandr Ryzhenkov alleged to have extorted around $100M from victims, built 60 LockBit attacks

Ransomware gang using stolen Microsoft Entra ID creds to bust into the cloud

Defenders beware: Data theft, extortion, and backdoors on Storm-0501's agenda

Big brands among thousands infected by payment-card-stealing CosmicSting crooks

Gangs hit 5% of all Adobe Commerce, Magento-powered stores, Sansec says

Moscow-adjacent GoldenJackal gang strikes air-gapped systems with custom malware

USB sticks help, but it's unclear how tools that suck malware from them are delivered

Feds reach for sliver of crypto-cash nicked by North Korea's notorious Lazarus Group

A couple million will do for a start … but Kim's crews are suspected of stealing much more

China's Salt Typhoon cyber spies are deep inside US ISPs

Expecting a longer storm season this year?

Rackspace internal monitoring web servers hit by zero-day

Intruders accessed machines via tool bundled with ScienceLogic, 'limited' info taken, customers told not to worry

Happy birthday, Putin – you've been pwned

Pro-Ukraine hackers claim credit for Russian state broadcasting shutdown