The Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health & Human Services (HHS) released a threat actor profile on Scattered Spider, a financially motivated group active since at least 2022. These Scattered Spider hackers have targeted organizations across multiple industries, including healthcare; leveraged legitimate, publicly available tools and other malware in their intrusions, including multiple ransomware variants; and have become known for their advanced social engineering techniques, including voice phishing and leveraging artificial intelligence (AI) to spoof victims’ voices for obtaining initial access to targeted organizations. These hackers will likely continue to evolve their TTPs (tactics, techniques, and procedures) to evade detection.
“Scattered Spider (also known as Octo Tempest, Roasted 0ktapus, Storm-0875, Starfraud, UNC3944, Scatter Swine, and Muddled Libra) is a financially motivated cybercriminal group that engages in data extortion and several other criminal activities,” the HC3 warned last week. “Scattered Spider is a native English-speaking cybercriminal group that has been active since at least 2022. The group is thought to comprise of individuals based in the United States and the United Kingdom. They are believed to be primarily between the ages of 19 and 22, as of September 2023.”
Identifying that these Scattered Spider hackers initially targeted customer relationship management (CRM) and business process outsourcing (BPO) firms, as well as telecommunications and technology companies, the HC3 observed that beginning in 2023, Scattered Spider expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors. More recently, the group has expanded its operations to cloud environments.
Scattered Spider hackers have leveraged targeted social-engineering techniques during campaigns, attempted to bypass popular endpoint security tools, and deployed ransomware for financial gain. The group added RansomHub and Qilin to its cyber arsenal in Q2 2024. Scattered Spider threat actors are considered experts in social engineering.
“While Scattered Spider is comprised of young individuals, they have successfully executed high-profile breaches largely due to their advanced social engineering capabilities,” according to the HC3 profile report. “Despite this, the group appears to have poor operational security, as multiple key members have been arrested. Nonetheless, the group continues to conduct successful attacks while evolving its TTPs to evade detection in victim environments.HC3 assesses with moderate confidence that the group will likely continue to target various industries, including healthcare, for financial gain.”
HC3 detailed that these Scattered Spider hackers have gained initial access to targeted organizations by leveraging spear phishing voice techniques, to leverage the unauthorized access to modify ACH information for payer accounts to divert legitimate payments to attacker-controlled bank accounts. “While this threat activity was not attributed to a specific threat actor, the tactics, techniques, and procedures (TTPs) observed overlap with Scattered Spider.”
Scattered Spider has leveraged information stealers (infostealers) which have previously been considered a precursor to ransomware attacks, according to SpyCloud, as they have enabled threat actors to obtain credentials for initial access.
According to the researchers, info stealer infections preceded nearly one-third (30 percent) of ransomware events for North American and European ransomware victim companies in 2023. Scattered Spider hackers have historically evaded detection on target networks by using living off the land (LOTL) techniques, allowing listed applications to navigate victim networks, and frequently modifying their TTPs.
Last November, U.S. security agencies released a joint Cybersecurity Advisory (CSA) addressing Scattered Spider, a cybercriminal group that targets commercial facilities sectors and subsectors. The advisory offers insights into the TTPs employed by the group, which have been gathered through recent Federal Bureau of Investigation (FBI) investigations, including those conducted this month.
Furthermore, Scattered Spider hackers are known for their involvement in data theft for extortion, utilizing various social engineering techniques. They have recently incorporated using BlackCat/ALPHV ransomware alongside their usual TTPs.
The FBI and U.S. Cybersecurity and Infrastructure Security Agency (CISA) called upon organizations to defend against Scattered Spider by implementing application controls; implementing FIDO/WebAuth authentication or Public Key Infrastructure (PKI)-based MFA; and strictly limiting the use of Remote Desktop Protocol (RDP) and other remote desktop services.
In September, the HC3 issued a healthcare sector alert, cautioning owners and operators about vulnerabilities in Apache Tomcat. The bulletin provided an overview of Apache Tomcat vulnerabilities, mitigation strategies, and an overall approach to keeping the sector safe and secure.
link