The CISA and the FBI issued a joint advisory to warn organizations about a cybercriminal group named Scattered Spider, which has recently updated its TTPs to infiltrate targets.
New tactics observed
- In most recent attacks, the attackers used ransomware to encrypt VMware Elastic Sky X integrated (ESXi) servers after exfiltrating data.
- After encrypting the servers, they communicated with victims via TOR, Tox, email, or encrypted applications.
Overview of Scattered Spider’s tactics
- The gang leverages phishing emails, push bombing, and SIM swap attacks to obtain credentials, install remote access tools, and bypass MFA.
- Upon gaining access to victims’ systems, Scattered Spider deploys legitimate remote access tunneling tools such as Fleetdeck[.]io, ngrok, and Pulseway. It also leverages living-off-the-land techniques to evade detection.
- At the final stage, the attackers deploy a wide range of malware, which include AveMaria, Raccoon Stealer, and Vidar Stealer.
To reduce the likelihood and impact of cyberattacks by Scattered Spider, federal agencies have advised organizations to follow the best cybersecurity practices. Some of the recommended actions include using whitelisted applications to manage software execution, securing RDP usage with the best practices, and using EDR tools to monitor endpoints and detect abnormal activities.