Share this article on:
The hacking group believed to be behind the MGM hack has perfected social engineering attacks, according to US authorities.
The US FBI and Cybersecurity and Infrastructure Security Agency have released a detailed alert outlining the operations and tactics of a hacking group known as Scattered Spider.
The group has been operating since at least May 2022, but recent high-profile hacks and collaborations with other threat actors have seen the group rise to prominence in recent months. Alongside ransomware operator ALPHV, Scattered Spider was recently responsible for exfiltrated troves of customer data from two major Las Vegas casinos, Caesars and MGM.
The co-authored alert warns that the gang is exceedingly good at social engineering, which was the point of access for both casino attacks.
Scattered Spider has gained access to networks by posing as IT or help desk staff and directing legitimate employees to download and install remote access tools, which the gang then exploits. The group also uses MFA Fatigue attacks, whereby it will flood a user with multifactor authentication prompts, prompting the harassed employee to eventually click on an “accept” button, giving the threat actor unauthorised access to networks.
The group has also taken advantage of prior breaches, using personal data to extort its way into networks, and has been seen to use a combination of phishing and smishing for initial reconnaissance.
In the latter case, Scattered Spider takes advantage of “victim-specific crafted domains” such as victimname-servicedesk[.]com and victimname-okta[.]com to appear legitimate.
“In most instances, Scattered Spider threat actors conduct SIM swapping attacks against users that respond to the phishing/smishing attempt,” the alert said. “The threat actors then work to identify the personally identifiable information (PII) of the most valuable users that succumbed to the phishing/smishing, obtaining answers for those users’ security questions.”
Having gained access to a network, the group has been seen to rely on commercially available tools.
“After gaining access to networks, the FBI observed Scattered Spider threat actors using publicly available, legitimate remote access tunnelling tools,” the alert noted. The tools used include Fleetdeck.io for remote monitoring, Mimikatz to extract credentials, and Tailscale to take advantage of virtual private networks for secure communications.
Scattered Spider also uses three unique malware tools: remote-access tool AveMaria, Racoon Stealer for stealing credentials and cookies, and Vidar Stealer to do much the same.
Once inside a network, the group then looks for SharePoint sites, more credentials, VMware infrastructure, and backups. It explores a victim’s Active Directory, exfiltrates code repositories and code-signing certificates, as well as source code.
“In instances where the ultimate goal is data exfiltration, Scattered Spider threat actors use actor-installed extract, transform, and load (ETL) tools to bring data from multiple data sources into a centralised database. According to trusted third parties, where more recent incidents are concerned, Scattered Spider threat actors may have deployed BlackCat/ALPHV ransomware onto victim networks – thereby encrypting VMware Elastic Sky X integrated (ESXi) servers,” the alert said.
The group also leverages any data it can find on internal Slack and Teams channels, as well as emails to monitor any security response.
While the group has been known in the past to exfiltrate data without deploying ransomware, it has recently changed tactics and has been observed by the FBI encrypting data on victim networks.
According to other reports, Scattered Spider’s membership skews young and is aged between 19 and 22.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.