Scattered Spider is using fresh tactics to snare more victims in its web.
Governments around the globe are warning that the hacker group is impersonating employees to trick IT help desks into resetting passwords and transferring multi-factor authentication (MFA) tokens to attacker-controlled devices. This then allows them to carry out damaging extortion and ransomware campaigns.
“Scattered Spider is successful because of their expert use of social engineering,” said Johannes Ullrich, dean of research at SANS Technology Institute. “Defenses often focus too much on technical attacks and technical solutions, while attackers like Scattered Spider use simple phone calls or SMS messages, and in some cases, simple cash bribes, to get insiders to assist them.”
Sophisticated spear phishing bypasses defenses
Scattered Spider, also known as Scatter Swine, Oktapus, and Octo Tempest, has been active since at least May 2022, using various social engineering techniques to access credentials, install remote-access tools, bypass MFA, steal data, and extort organizations.
The group’s members are notorious for posing as IT and help desk staff to fool employees into giving up their credentials, sharing one-time passwords (OTPs), or running commercial remote access tools to grant network access. They employ a variety of social engineering tactics, including smishing (text phishing), vishing (voice phishing), and spear phishing (targeting a specific employee).
Now the US Cybersecurity and Infrastructure Security Agency (CISA) and other agencies in Canada, the UK, and Australia say the group is changing up its tactics and using new malware and ransomware techniques — including “RattyRAT” and DragonForce — to exfiltrate data.
The agencies warn that Scattered Spider is repurposing legitimate, publicly-available remote access tunneling tools, now including Teleport.sh and AnyDesk, to easily bypass security safeguards. Increasingly, it is searching for an organization’s Snowflake access to “[exfiltrate] large volumes of data in a short time, often running thousands of queries immediately,” according to the advisory.
The group has been known to exfiltrate data after gaining access to a network, then threatening to release it; recently, this exfiltrated data has been moved to US-based data centers, including Amazon S3, then encrypted. Members then communicate with targeted organizations via TOR, Tox, email, and other encrypted apps.
It is using domains including targetsname-cms[.]com, targetsname-helpdesk[.]com, and oktalogin-targetcompany[.]com. CISA explained that the targeted organization’s name is often appended with either a -helpdesk or a type of SSO to add credibility.
In some instances, Scattered Spider members purchase employee or contractor credentials on illicit marketplaces to gain access. More commonly, they search business-to-business websites to gather information about specific individuals. Once they identify usernames, passwords, personally identifiable information (PII), and conduct SIM swapping (transferring a victim’s phone number to a SIM card they control), they then use “layered” social engineering techniques that occur over several calls.
These moves are designed to learn the steps needed to conduct password resets, gather the targeted employee’s password reset information, and conduct spear phishing calls to convince help desk personnel to reset passwords and/or transfer MFA tokens so they can take over accounts.
Later, to determine whether their activities have been detected, the threat actors often search the organization’s Slack, Microsoft Teams, and Microsoft Exchange Online for discussions of the attack and the subsequent security response. They also create new identities in these environments, backed up by fake social media profiles, and frequently join incident remediation and response calls and teleconferences. This helps them understand how security teams are hunting them.
Scattered Spider is so pervasive “because it uses advanced and aggressive social engineering that gets around most defenses,” said Roger Grimes, a data-driven defense evangelist at cybersecurity company KnowBe4.
Avoid getting ensnared in Scattered Spider’s web
In response to the group’s new tactics, the joint statement advises enterprises to look for “risky logins” in environments where sign-in attempts have been flagged as suspicious or unusual. Other important cybersecurity practices include:
- Enforce phishing-resistant MFA.
- Implement application controls to manage and control software execution, including allowlisting remote access programs.
- Audit remote access tools to identify currently used and/or authorized software.
- Review logs for execution of remote access software to detect abnormal use.
- Only permit authorized remote access tools to be used within a network over approved mechanisms such as virtual private networks (VPNs) or virtual desktops.
- Block inbound and outbound connections on common remote access ports and protocols.
- Strictly limit the use of remote desktop protocol (RDP) and other remote desktop services.
Given that the group’s social engineering techniques can get around most defenses, experts emphasize the importance of building a holistic cybersecurity culture, rather than just relying on tools.
“CISO’s can’t buy a Blinky box to mitigate Scattered Spider.” said David Shipley of Beauceron Security. “It requires building aware and engaged teams to recognize social engineering, positive security cultures, and robust, assertive help desk authentication procedures that are tested at least monthly by red teams.”
KnowBe4’s Grimes noted that many defense guides, including those from CISA, “barely mention” how to best defeat social engineering, which is, he said, better security awareness training. “So, people concentrate on the wrong things and then wonder why Scattered Spider is so successful.”
He advised: “Don’t use easily phishable MFA — and that’s most MFA.” His suggestions for phishing-resistant MFA: NIST, FIDO2, 1Kosmos, AuthN by IEEE, Beyond Identity, IDEE, Google Advanced Protection Program, HYPR, and idenprotect.
SANS’ Ullrich noted that enterprises too often rely on third-party vendors to offer critical security functions such as identity and access control. As a result, it can be difficult to make quick tactical changes to fight current threats. Detailed insight into authorization activity can be limited, slowing or preventing proper detection and mitigation, while modern decomposed networks make detailed monitoring “almost impossible.”
Internal expertise is optimal, he said; but barring that, enterprises should promote a strong employee reporting system. “Successful awareness training often emphasizes reporting features over more old-fashioned anti-phishing training,” said Ullrich.