A joint advisory about a cybercriminal group called Scattered Spider, which is known to use sophisticated phishing techniques to infiltrate targets, was released by U.S. cybersecurity and intelligence agencies.
“Scattered Spider threat actors typically engage in data theft for extortion using multiple social engineering techniques and have recently leveraged BlackCat/ALPHV ransomware alongside their usual TTPs,” the agencies stated.
The threat actor was the focus of a lengthy profile published by Microsoft last month. The tech giant referred to it as “one of the most dangerous financial criminal groups.” It is also known by the names Muddled Libra, Octo Tempest, 0ktapus, Scatter Swine, Star Fraud, and UNC3944.
Experts in the field of social engineering, Scattered Spider is recognized for their ability to acquire credentials, install remote access tools, and get around multi-factor authentication (MFA) through phishing, prompt bombing, and SIM swapping attacks.
Like LAPSUS$, Scattered Spider is purportedly a part of a broader Gen Z cybercrime ecosystem that goes by the name of the Com (also spelled Comm), and has turned to swatting attacks and violent behavior.
The identities of at least twelve members of the cybercrime gang are known to the U.S. Federal Bureau of Investigation (FBI), according to a Reuters report earlier this week.
The use of phone calls or SMS messages to impersonate IT and help desk staff in order to target employees and obtain elevated access to the networks is one of its most prominent strategies.
Following a successful initial access, remote access trojans and stealers like AveMaria (aka Warzone RAT), Raccoon Stealer, and Vidar Stealer are deployed along with genuine remote access tunneling tools like Fleetdeck.io, Ngrok, and Pulseway.
In addition, the English-speaking extortion group uses living-off-the-land (LotL) tactics to evade detection and maneuver through compromised networks in order to ultimately pilfer confidential data in return for a ransom.
By using its access to victims to facilitate data theft and ransomware enabled by extortion, Scattered Spider has also served as an affiliate for the BlackCat ransomware gang as of mid-2023.
To stop unauthorized software from running on endpoints, the U.S. government is advising businesses to install application controls, enforce recovery plans, keep offline backups, and deploy phishing-resistant multifactor authentication (MFA).