SUMMARY
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023.
Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.
The FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of a cyberattack by Scattered Spider actors.
Download the PDF version of this report:
A23-320A Scattered Spider
(PDF, 517.03 KB
)
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK® Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool .
Overview
Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) engages in data extortion and several other criminal activities.[1 ] Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA). According to public reporting, Scattered Spider threat actors have [2 ],[3 ],[4 ]:
Posed as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network [T1598 ],[T1656 ].
Posed as company IT and/or helpdesk staff to direct employees to run commercial remote access tools enabling initial access [T1204 ],[T1219 ],[T1566 ].
Posed as IT staff to convince employees to share their one-time password (OTP), an MFA authentication code.
Sent repeated MFA notification prompts leading to employees pressing the “Accept” button (also known as MFA fatigue) [T1621 ].[5 ]
Convinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card they controlled, gaining control over the phone and access to MFA prompts.
Monetized access to victim networks in numerous ways including extortion enabled by ransomware and data theft [T1657 ].
After gaining access to networks, FBI observed Scattered Spider threat actors using publicly available, legitimate remote access tunneling tools. Table 1 details a list of legitimate tools Scattered Spider, repurposed and used for their criminal activity. Note: The use of these legitimate tools alone is not indicative of criminal activity. Users should review the Scattered Spider indicators of compromise (IOCs) and TTPs discussed in this CSA to determine whether they have been compromised.
Table 1: Legitimate Tools Used by Scattered Spider
Tool
Intended Use
Fleetdeck.io
Enables remote monitoring and management of systems.
Level.io
Enables remote monitoring and management of systems.
Mimikatz [S0002 ]
Extracts credentials from a system.
Ngrok [S0508 ]
Enables remote access to a local web server by tunneling over the internet.
Pulseway
Enables remote monitoring and management of systems.
Screenconnect
Enables remote connections to network devices for management.
Splashtop
Enables remote connections to network devices for management.
Tactical.RMM
Enables remote monitoring and management of systems.
Tailscale
Provides virtual private networks (VPNs) to secure network communications.
Teamviewer
Enables remote connections to network devices for management.
In addition to using legitimate tools, Scattered Spider also uses malware as part of its TTPs. See Table 2 for some of the malware used by Scattered Spider.
Table 2: Malware Used by Scattered Spider
Malware
Use
AveMaria (also known as WarZone [S0670 ])
Enables remote access to a victim’s systems.
Raccoon Stealer
Steals information including login credentials [TA0006 ], browser history [T1217 ], cookies [T1539 ], and other data.
VIDAR Stealer
Steals information including login credentials, browser history, cookies, and other data.
Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs.
Observably, Scattered Spider threat actors have exfiltrated data [TA0010 ] after gaining access and threatened to release it without deploying ransomware; this includes exfiltration to multiple sites including U.S.-based data centers and MEGA[.]NZ [T1567.002 ].
Recent Scattered Spider TTPs
New TTP – File Encryption
More recently, the FBI has identified Scattered Spider threat actors now encrypting victim files after exfiltration [T1486 ]. After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with victims via TOR, Tox, email, or encrypted applications.
Reconnaissance, Resource Development, and Initial Access
Scattered Spider intrusions often begin with broad phishing [T1566 ] and smishing [T1660 ] attempts against a target using victim-specific crafted domains, such as the domains listed in Table 3 [T1583.001 ].
Table 3: Domains Used by Scattered Spider Threat Actors
Domains
victimname-sso[.]com
victimname-servicedesk[.]com
victimname-okta[.]com
In most instances, Scattered Spider threat actors conduct SIM swapping attacks against users that respond to the phishing/smishing attempt. The threat actors then work to identify the personally identifiable information (PII) of the most valuable users that succumbed to the phishing/smishing, obtaining answers for those users’ security questions. After identifying usernames, passwords, PII [T1589 ], and conducting SIM swaps, the threat actors then use social engineering techniques [T1656 ] to convince IT help desk personnel to reset passwords and/or MFA tokens [T1078.002 ],[T1199 ],[T1566.004 ] to perform account takeovers against the users in single sign-on (SSO) environments.
Execution, Persistence, and Privilege Escalation
Scattered Spider threat actors then register their own MFA tokens [T1556.006 ],[T1606 ] after compromising a user’s account to establish persistence [TA0003 ]. Further, the threat actors add a federated identity provider to the victim’s SSO tenant and activate automatic account linking [T1484.002 ]. The threat actors are then able to sign into any account by using a matching SSO account attribute. At this stage, the Scattered Spider threat actors already control the identity provider and then can choose an arbitrary value for this account attribute. As a result, this activity allows the threat actors to perform privileged escalation [TA0004 ] and continue logging in even when passwords are changed [T1078 ]. Additionally, they leverage common endpoint detection and response (EDR) tools installed on the victim networks to take advantage of the tools’ remote-shell capabilities and executing of commands which elevates their access. They also deploy remote monitoring and management (RMM) tools [T1219 ] to then maintain persistence.
Discovery, Lateral Movement, and Exfiltration
Once persistence is established on a target network, Scattered Spider threat actors often perform discovery, specifically searching for SharePoint sites [T1213.002 ], credential storage documentation [T1552.001 ], VMware vCenter infrastructure [T1018 ], backups, and instructions for setting up/logging into Virtual Private Networks (VPN) [TA0007 ]. The threat actors enumerate the victim’s Active Directory (AD), perform discovery and exfiltration of victim’s code repositories [T1213.003 ], code-signing certificates [T1552.004 ], and source code [T1083 ],[TA0010 ]. Threat actors activate Amazon Web Services (AWS) Systems Manager Inventory [T1538 ] to discover targets for lateral movement [TA0007 ],[TA0008 ], then move to both preexisting [T1021.007 ] and actor-created [T1578.002 ] Amazon Elastic Compute Cloud (EC2) instances. In instances where the ultimate goal is data exfiltration, Scattered Spider threat actors use actor-installed extract, transform, and load (ETL) tools [T1648 ] to bring data from multiple data sources into a centralized database [T1074 ],[T1530 ]. According to trusted third parties, where more recent incidents are concerned, Scattered Spider threat actors may have deployed BlackCat/ALPHV ranso