CISA, FBI issue alert for ongoing Scattered Spider activity

Okta, casinos connection

Impersonating company IT and helpdesk personnel was one effective technique the FBI observed during Scattered Spider investigations. According to the advisory, in most instances, Scattered Spider actors conducted SIM swapping attacks against targeted users susceptible to phishing attempts.

From there, threat actors would find the personally identifiable information (PII) of the most valuable targets in an effort to obtain answers for their security questions. "After identifying usernames, passwords, PII, and conducting SIM swaps, the threat actors then use social engineering techniques to convince IT help desk personnel to reset passwords and/or MFA [multifactor authentication] tokens," CISA and the FBI wrote in the advisory.

That is similar to the social engineering campaign against Okta customers that occurred from July 29 to Aug. 19, when threat actors tricked the IT service helpdesk into resetting MFA passwords after gaining initial access through a phishing campaign. The acquired MFA tokens were then used to perform a total account takeover.

Following Okta's August disclosure, the Las Vegas casino attacks were connected to the campaign against Okta after they were revealed as customers. Additionally, Alphv/BlackCat, a ransomware strain utilized by Scattered Spider, claimed responsibility for the attack on MGM, which refused to pay the demanded ransom. MGM CEO William Hornbuckle said remediation efforts included strengthening the casino's IT environment.

After gaining access to users' MFA tokens by tricking IT personnel, threat actors registered their own MFA tokens to establish persistence. The persistence was maintained by adding an identity provider to the victim's single sign-on tenant and automatically linking the accounts. Abusing SSO and identity providers was documented during the Okta breach.

"At this stage, the Scattered Spider threat actors already control the identity provider and then can choose arbitrary value for this account attribute. As a result, this activity allows the threat actors to perform privileged escalation and continue logging in even when passwords are changed," the advisory said.

Additional tactics used by Scattered Spider include MFA fatigue or MFA bombing attacks, in which the threat actors trigger repeated notifications and prompts until the victim relents and eventually clicks "approve." In addition to using legitimate tools and remote management software, the group also used information stealers known as Raccoon and Vidar as well as remote access malware called AveMaria, also known as WarZone.

The government agencies also observed Scattered Spider searching for Microsoft SharePoint sites and VMware vCenter infrastructure, backups and instructions for logging into VPNs. VPNs and VMware products have been increasingly targeted by many threat groups.

Other alarming Scattered Spider activity included frequently modifying their TTPs, searching victim's communication channels for Scattered Spider-related security alerts and joining incident remediation and response calls as well as teleconferences.

The advisory noted how the threat group will extort victims by threatening to release stolen data often without deploying ransomware. This follows a recent and increasing shift in the ransomware landscape where groups often rely on data extortion threats over network disruptions caused by ransomware encryption. Examples include the widespread attacks on MoveIt Transfer customers where a Clop ransomware affiliate stole sensitive data and threatened to leak it if victims did not pay. However, ransomware was not deployed during the attacks.

"Observably, Scattered Spider threat actors have exfiltrated data after gaining access and threatened to release it without deploying ransomware; this includes exfiltration to multiple sites including U.S.-based data centers and MEGA[.]NZ," the advisory read.

The advisory recommended immediate mitigation steps for enterprises including maintaining offline backups, enforcing phishing-resistant MFA, and implementing application controls to manage and control software execution.

During a press call on Thursday, the FBI and CISA confirmed its actively investigating Scattered Spider and urged companies to come forward with any information.

Arielle Waldman is a Boston-based reporter covering enterprise security news.