Scattered Spider Breaches

Executive Summary

Background

Scattered Spider, a financially motivated threat actor group known by various aliases including UNC3944 and 0ktapus, has historically targeted telecommunications systems. Notable for their aggressive social-engineering tactics, the group shifted their focus in mid-2023, launching a series of high-profile ransomware attacks on organizations across the hospitality, retail, media, entertainment, and financial sectors.

Impact

Scattered Spider's attacks have led to ransom payments in the tens of millions, revenue impacts in the hundreds of millions, and additional, difficult-to-quantify reputational damages.

Recent Incidents

Three major breaches attributed to Scattered Spider underscore the group's modus operandi:

1. MGM Resorts International (September 11, 2023): A ransomware attack disrupted reservation systems, keycard systems, and portions of casino floors for ten days, causing an estimated financial impact of $100 million and additional one-time expenses below $10 million. Scattered Spider gained access by socially engineering the helpdesk.
2. Caesars Entertainment (September 7, 2023): The group obtained the casino chain's extensive loyalty program database, prompting Caesars to pay a negotiated ransom of $15 million to prevent data leaks.
3. The Clorox Company (September 18, 2023): A cyber-attack disrupted Clorox's operations, resulting in an anticipated decrease in net sales by 28% to 23% due to order processing delays and product outages.

Threat Actor's Goals & Actions

Scattered Spider aims to deploy ransomware and extract large payouts from major organizations. They gain access via social engineering attacks and escalate privileges by targeting password managers. They maintain access by creating unmanaged virtual machines and using common remote access tools such as TeamViewer, AnyDesk and LogMeIn.

Full Analysis

Social Engineering Tactics

• Initial Access: Scattered Spider excels in social engineering, specifically through phishing emails, telephone calls, SMS, and Telegram phishing campaigns.
• Targeted Attack on MGM: MGM's incident showcases the group's efficacy in obtaining initial access by manipulating the helpdesk.

Internal Exploration

• Document Traversal: Once inside, the group searches internal documentation, resources, and chat logs to elevate privileges and extend foothold.
• Privilege Escalation: The group specifically targets password managers, secret storage vaults and privileged access management systems.

Maintaining Persistence

• Unmanaged VMs: Scattered Spider creates unmanaged virtual machines within victims' environments to launch attacks.
• Remote Access Software: The group uses common remote access tools (AnyDesk, LogMeIn, TeamViewer), often bypassing detection by EDR systems.
• Proxy Services: The group uses commercial residential proxy services for localized access.

Recommendations

1. Implement Rigorous MFA Policies: Enforce mandatory MFA across all critical systems to create an additional layer of defense against unauthorized access.
2. Conduct Targeted Training for Personnel: Conduct regular phishing simulations mimicking Scattered Spider's tactics, such as helpdesk calls, SMS, and Telegram phishing. Incentivize personnel with stipends to use SMS phishing protection software on their personal mobile devices.
3. Monitor and Restrict Remote Access Tools: Monitor network traffic for signs of unauthorized use of remote access tools like AnyDesk, LogMeIn, and TeamViewer.
4. Detect and Block Proxy Services: Configure network monitoring tools to detect and block traffic from known residential proxy services such as Luminati, Oxylabs and Smartproxy.
5. Detect and Remove Unmanaged VMs: Use automated asset discovery tools to detect and, if possible, automatically isolate unauthorized virtual machines.
6. Actively Monitor for Compromised Credentials: Use dark web monitoring tools to detect leaked credentials.

This briefing is part of Exposure Security's ongoing executive intelligence series. For questions about how this applies to your organization specifically, contact us.