The cybersecurity and intelligence agencies in the U.S. recently issued a joint advisory concerning Scattered Spider, a cybercriminal group known for employing sophisticated phishing tactics to breach targets. This group, also recognized as Muddled Libra, Octo Tempest, 0ktapus, Scatter Swine, Star Fraud, and UNC3944, has been flagged for engaging in data theft for extortion, notably utilizing BlackCat/ALPHV ransomware alongside various social engineering techniques.
Renowned for their expertise in social engineering, Scattered Spider employs phishing, prompt bombing, and SIM swapping attacks to acquire credentials, install remote access tools, and bypass multi-factor authentication (MFA).
They are considered part of a broader Gen Z cybercrime ecosystem, often referred to as the Com or Comm, which has been associated with violent activities and swatting attacks. The FBI has reportedly identified around a dozen members of this cybercrime gang.
Their tactics involve impersonating IT and help desk personnel via phone calls or SMS messages to gain elevated access to networks. Upon successful initial access, they deploy legitimate remote access tunneling tools like Fleetdeck.io, Ngrok, and Pulseway, as well as remote access trojans and stealers such as AveMaria (also known as Warzone RAT), Raccoon Stealer, and Vidar Stealer.
Additionally, Scattered Spider leverages living-off-the-land (LotL) techniques to avoid detection and navigate compromised networks, aiming to steal sensitive information in exchange for payment. They even engage in incident remediation and response calls and teleconferences, likely to understand how security teams are tracking them and devise new intrusion methods accordingly.
As of mid-2023, Scattered Spider has acted as an affiliate for the BlackCat ransomware gang, exploiting their access to extort victims through ransomware and data theft.
The U.S. government advises companies to implement phishing-resistant MFA, have a recovery plan in place, maintain offline backups, and enforce application controls to prevent unauthorized software execution on endpoints.
For those interested in more exclusive content, follow the respective social media handles mentioned in the article.