Search Tools Links Login

Scattered Spider's Growing Cyber Threat: From Phishing to Ransomware

The US Cybersecurity & Infrastructure Security Agency (CISA) warns of Scattered Spider's rising menace in the digital realm. Linked to a recent breach in a Las Vegas casino, the group has allegedly targeted over 100 entities during its brief existence, reports Mandiant.

Initially known for their social-engineering strategies, Scattered Spider has started deploying ransomware to steal data. Their latest method of attack exploits a vulnerability in the WinRAR archiver, CVE-2023-38831. They’ve successfully integrated sophisticated techniques like analyzing a system’s architecture and dynamically adjusting their approach to further infiltrate the network.

Collaborating with agencies such as the Environmental Protection Agency (EPA), Mandiant reveals that Scattered Spider's monetization techniques began evolving in mid-2023. The group predominantly targets employees of organizations, employing SMS phishing and phone-based social engineering to procure login details.

One of their significant 2022 phishing campaigns, Oktapus, targeted Okta customers' employees. This strategy helped them obtain nearly 10,000 user credentials. The modus operandi involved sending malicious text links imitating company authentication pages and, in some instances, direct phone calls to manipulate IT support staff.

Mandiant identified three unique phishing kits employed by Scattered Spider. The most recent, initiated in 2023, seems to be a retrofitted version of their previous toolkit.

On gaining access, Scattered Spider uses standard software to surveil and maneuver within the network. They scout for data, aiming to elevate their privileges and sustain their presence in the system. The group exploits various tools, like HashiCorp Vault or the CyberArk API, to extract credentials.

In a concerning shift, Scattered Spider has now turned to deploying ransomware, evident in the MGM Resorts intrusion, where they claimed to have encrypted over 100 ESXi hypervisors. They're associated with ALPHV (or BlackCat), a ransomware-as-a-service entity, pointing towards a trend of expanding their operational scope.

In conclusion, Mandiant believes that Scattered Spider will persistently refine their tactics and partnerships, marking them as a significant threat in the cybersecurity landscape.

About this post

Posted: 2023-09-18
By: dwirch
Viewed: 171 times





No attachments for this post

Loading Comments ...


No comments have been added for this post.

You must be logged in to make a comment.