The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have released a detailed cybersecurity advisory on the sophisticated Scattered Spider threat group, urging critical infrastructure (CNI) firms to implement its mitigation recommendations.
The group (also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest and Muddled Libra) is thought to be responsible for big-name breaches including MGM International, Caesars Entertainment, Okta and Twilio.
The group mainly engages in data theft for extortion, using the BlackCat/ALPHV ransomware, and is notable for its fluidity. Disparate members, some of whom appear to be native English speakers, have also been linked to “The Comm.” That’s a group connected with a string of “SWATing” attacks targeting US schools and universities.
According to the advisory, Scattered Spider actors are expert in social engineering – often posing as IT helpdesk staff to trick employees into handing over credentials, or using SIM swap or MFA fatigue attacks to bypass two-factor authentication.
After gaining access to networks, Scattered Spider uses publicly available, legitimate remote access tunneling tools, living-off-the-land techniques and allowlisted applications to stay hidden, while moving laterally and exfiltrating data.
In a report last month, Microsoft branded the collective “one of the most dangerous financial criminal groups” operating today.
The FBI/CISA issued a long list of mitigations for organizations to consider, including:
- Application controls
- Reviewing logs for use of remote access software
- FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA
- Limiting the use of remote desktop protocol (RDP)
- Implementing a recovery plan and maintaining offline backups
- Phishing-resistant MFA
- Regular updates for software/operating systems
- Segmented networks
- EDR and other tools for detecting abnormal activity
- Anti-virus on all hosts
- Disabling unused ports and protocols
“FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the mitigations section of this CSA [advisory] to reduce the likelihood and impact of a cyber-attack by Scattered Spider actors,” the advisory urged.