U.S. cybersecurity and intelligence agencies have released a joint advisory about a cybercriminal group known as Scattered Spider that's known to employ sophisticated phishing tactics to infiltrate targets.
"Scattered Spider threat actors typically engage in data theft for extortion using multiple social engineering techniques and have recently leveraged BlackCat/ALPHV ransomware alongside their usual TTPs," the agencies said.
The threat actor, also tracked under the monikers Muddled Libra, Octo Tempest, 0ktapus, Scatter Swine, Star Fraud, and UNC3944, was the subject of an extensive profile from Microsoft last month, with the tech giant calling it "one of the most dangerous financial criminal groups."
Considered as experts in social engineering, Scattered Spider is known to rely on phishing, prompt bombing, and SIM swapping attacks to obtain credentials, install remote access tools, and bypass multi-factor authentication (MFA).
Scattered Spider, like LAPSUS$, is said to be part of a larger Gen Z cybercrime ecosystem that refers to itself as the Com (alternately spelled Comm), which has resorted to violent activity and swatting attacks.
A report from Reuters earlier this week disclosed that the U.S. Federal Bureau of Investigation (FBI) is aware of the identities of at least a dozen members of the cybercrime gang.
One of the notable tricks in its arsenal is the impersonation of IT and helping desk staff using phone calls or SMS messages to target employees and gain elevated access to the networks.
Successful initial access is followed by the deployment of legitimate remote access tunneling tools such as Fleetdeck.io, Ngrok, and Pulseway, as well as remote access trojans and stealers like AveMaria (aka Warzone RAT), Raccoon Stealer, and Vidar Stealer.
Furthermore, the English-speaking extortion crew leverages living-off-the-land (LotL) techniques to skirt detection and navigate compromised networks with an ultimate aim to steal sensitive information in exchange for a payment.
"The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses," the agencies noted.
As of mid-2023, Scattered Spider has also acted as an affiliate for the BlackCat ransomware gang, monetizing its access to victims for extortion-enabled ransomware and data theft.
The U.S. government is urging companies to implement phishing-resistant MFA, enforce a recovery plan, maintain offline backups, and adopt application controls to prevent the execution of unauthorized software on endpoints.
