The FBI and CISA issued updated guidance today on the Scattered Spider threat group, including information on recent attack techniques such as encrypting VMware ESXi servers with DragonForce ransomware.
The advisory, issued in cooperation with security and law enforcement agencies from Canada, Australia and the UK, recommended a number of steps to protect against Scattered Spider cyberattacks, including three urgent actions:
- Maintain isolated, offline backups of data that are tested regularly.
- Implement phishing-resistant multifactor authentication (MFA).
- Implement application controls to manage and control software execution.
Scattered Spider Attack Techniques
Scattered Spider, which has been behind recent attack campaigns targeting the insurance, retail and other sectors, has been known for some aggressive attack techniques.
These have included posing as company IT or helpdesk staff using phone calls or SMS messages to steal credentials from employees, directing employees to run remote access tools that enable initial access, and convincing employees to share their one-time passwords (OTPs) for multi-factor authentication.
Most recently, Scattered Spider actors have posed as employees to convince IT or helpdesk staff “to provide sensitive information, reset the employee’s password, and transfer the employee’s MFA to a device they control on separate devices.”
Scattered Spider, which is also known as UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra, has also sent repeated MFA notification prompts to try to get employees to accept the prompt, an attack technique known as MFA fatigue.
The threat actors have also been able to convince cellular carriers to transfer control of a user’s phone number to a SIM card in their possession to gain control over the phone and MFA prompts.
The FBI has observed Scattered Spider threat actors using as many as a dozen legitimate remote access tunneling tools after gaining access to networks, the most recent being AnyDesk and Teleport.sh.
Once persistence has been established on a network, actions have included enumerating Active Directory (AD), performing discovery and exfiltration of code repositories, code-signing certificates, and source code. The threat actors have also activated Amazon Web Services (AWS) Systems Manager Inventory to discover targets for lateral movement and moving to both preexisting and threat actor-created Amazon Elastic Compute Cloud (EC2) instances.
More recent activities have included searching for an organization’s Snowflake access to exfiltrate large volumes of data quickly, “often running thousands of queries immediately,” and deploying DragonForce ransomware onto targeted networks to encrypt VMware ESXi servers.
Protecting Against Scattered Spider Attacks
The advisory recommended extensive controls for protecting against Scattered Spider attacks, including:
- Application controls for managing, monitoring and controlling execution of software, including allowlisting remote access programs and preventing installation and execution of portable versions of unauthorized remote access and other software.
- Monitoring for remote access software loaded only in memory.
- Restricting authorized remote access solutions so they can run only from within the network over approved access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
- Blocking inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
- Implementing FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA.
- Enforce account lockouts after a specified number of attempts.
The advisory also referenced May guidance from the UK’s National Cyber Security Centre after Scattered Spider-linked retail incidents, which included:
- Monitoring for unauthorized account misuse, such as risky logins within Microsoft Entra ID Protection.
- Monitoring Domain Admin, Enterprise Admin, Cloud Admin accounts to ensure that access is legitimate.
- Reviewing helpdesk password reset processes, including how the helpdesk authenticates employee credentials before resetting passwords, “especially those with escalated privileges.”
- Monitoring logins from atypical sources such as VPN services in residential ranges.
