The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a detailed cybersecurity advisory on the sophisticated Scattered Spider threat group, urging critical infrastructure (CNI) companies to implement its mitigation recommendations.
The group (also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest and Muddled Libra) is allegedly responsible for high-profile breaches including MGM International, Caesars Entertainment, Okta and Twilio.
The group mainly engages in data theft for extortion purposes, using BlackCat/ALPHV ransomware, and is notable for its fluidity. Disparate members, some of whom appear to be native English speakers, have also been linked to “The Comm.” This is a group linked to a series of “SWATing” attacks targeting American schools and universities.
According to the advisory, Scattered Spider actors are experts at social engineering – often posing as IT help desk personnel to trick employees into handing over their credentials, or using SIM swap attacks or by MFA fatigue to bypass two-factor authentication.
Learn more about Scattered Spider: Twilio reveals new security flaw
After gaining access to networks, Scattered Spider uses legitimate and publicly available remote access tunneling tools, living off-territory techniques, and authorized applications to remain hidden, while moving laterally and exfiltrating data.
In a report last month, Microsoft branded the collective “one of the most dangerous financial criminal groups” operating today.
The FBI/CISA has published an extensive list of mitigation measures that organizations should consider, including:
- Application controls
- Reviewing logs for remote access software usage
- FIDO/WebAuthn or MFA authentication based on public key infrastructure (PKI)
- Limit the use of Remote Desktop Protocol (RDP)
- Implement a recovery plan and maintain offline backups
- Phishing-resistant MFA
- Regular software/operating system updates
- Segmented networks
- EDR and other abnormal activity detection tools
- Antivirus on all hosts
- Disabling unused ports and protocols
“The FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the mitigations section of this CSA (advisory) to reduce the likelihood and impact of a cyber attack by security actors. Scattered Spider. » the notice urged.