The CISA and the FBI issued a joint advisory to warn organizations about a cybercriminal group named Scattered Spider, which has recently updated its TTPs to infiltrate targets.
It comes a few days after the CISA issued advisories on IOCs and TTPs associated with Rhysida ransomware and Royal ransomware that have been targeting organizations worldwide.
New tactics observed
While the group typically engages in data theft for extortion using social engineering tactics, it recently added BlackCat ransomware to its arsenal to expand its extortion tactic.
In most recent attacks, the attackers used ransomware to encrypt VMware Elastic Sky X integrated (ESXi) servers after exfiltrating data.
After encrypting the servers, they communicated with victims via TOR, Tox, email, or encrypted applications.
Overview of Scattered Spider’s tactics
The gang leverages phishing emails, push bombing, and SIM swap attacks to obtain credentials, install remote access tools, and bypass MFA.
Upon gaining access to victims’ systems, Scattered Spider deploys legitimate remote access tunneling tools such as Fleetdeck[.]io, ngrok, and Pulseway. It also leverages living-off-the-land techniques to evade detection.
At the final stage, the attackers deploy a wide range of malware, which include AveMaria, Raccoon Stealer, and Vidar Stealer.
Conclusion
To reduce the likelihood and impact of cyberattacks by Scattered Spider, federal agencies have advised organizations to follow the best cybersecurity practices. Some of the recommended actions include using whitelisted applications to manage software execution, securing RDP usage with the best practices, and using EDR tools to monitor endpoints and detect abnormal activities.