Google Cloud’s Mandiant Consulting has revealed that it has witnessed a drop in activity from the notorious Scattered Spider group, but emphasized the need for organizations to take advantage of the lull to shore up their defenses.
“Since the recent arrests tied to the alleged Scattered Spider (UNC3944) members in the U.K., Mandiant Consulting hasn’t observed any new intrusions directly attributable to this specific threat actor,” Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, told The Hacker News in a statement.
“This presents a critical window of opportunity that organizations must capitalize on to thoroughly study the tactics UNC3944 wielded so effectively, assess their systems, and reinforce their security posture accordingly.”
Carmakal also warned businesses not to “let their guard down entirely,” as other threat actors like UNC6040 are employing similar social engineering tactics as Scattered Spider to breach target networks.
“While one group may be temporarily dormant, others won’t relent,” Carmakal added.
The development comes as the tech giant detailed the financially motivated hacking group’s aggressive targeting of VMware ESXi hypervisors in attacks targeting retail, airline, and transportation sectors in North America.
The U.S. government, alongside Canada and Australia, has also released an updated advisory outlining Scattered Spider’s updated tradecraft obtained as part of investigations conducted by the Federal Bureau of Investigation (FBI) as recently as this month.
“Scattered Spider threat actors have been known to use various ransomware variants in data extortion attacks, most recently including DragonForce ransomware,” the agencies said.
“These actors frequently use social engineering techniques such as phishing, push bombing, and subscriber identity module swap attacks to obtain credentials, install remote access tools, and bypass multi-factor authentication. Scattered Spider threat actors consistently use proxy networks [T1090] and rotate machine names to further hamper detection and response.”
The group has also been observed posing as employees to persuade IT and/or help desk staff to provide sensitive information, reset the employee’s password, and transfer the employee’s multi-factor authentication (MFA) to a device under their control.
This marks a shift from the threat actors impersonating help desk personnel in phone calls or SMS messages to obtain employee credentials or instruct them to run commercial remote access tools enabling initial access. In other instances, the hackers have acquired employee or contractor credentials on illicit marketplaces such as Russia Market.
Furthermore, the governments called out Scattered Spider’s use of readily available malware tools like Ave Maria (aka Warzone RAT), Raccoon Stealer, Vidar Stealer, and Ratty RAT to facilitate remote access and gather sensitive information, as well as cloud storage service Mega for data exfiltration.
“In many instances, Scattered Spider threat actors search for a targeted organization’s Snowflake access to exfiltrate large volumes of data in a short time, often running thousands of queries immediately,” per the advisory.
“According to trusted third-parties, where more recent incidents are concerned, Scattered Spider threat actors may have deployed DragonForce ransomware onto targeted organizations’ networks – thereby encrypting VMware Elastic Sky X integrated (ESXi) servers.”
