FBI Shares Tactics & Techniques Used by Scattered Spider Hacker Group
In fresh months, the Scattered Spider hacking community (aka Starfraud, UNC3944, Scatter Swine, and Muddled Libra) has made data for allegedly attacking the next casino giants:-
- MGM Motels
- Caesars Entertainment
The FBI and CISA no longer too prolonged within the past issued a joint Cybersecurity Advisory (CSA) on Scattered Spider possibility actors focusing on commercial facilities.
FBI Tactics & Tactics
The sizzling advisory from the FBI and CISA finds fresh TTPs from November 2023 by Scattered Spider, a stylish hacker community focusing on gargantuan companies.
While this possibility community, Scattered Spider, is belief for records theft and BlackCat/ALPHV ransomware use, the companies ride crucial infrastructure organizations to put into effect suggested mitigations.
Apart from this, the Scattered Spider hacker community is an authority in social engineering and uses a pair of social engineering ways cherish:-
- Phishing attacks
- Push bombing attacks
- Subscriber identification module (SIM) swap attacks
With the support of those attacks, they form credentials after which set up a ways away salvage admission to tools on the centered plan to bypass Multi-Yell Authentication (MFA).
FBI notes Scattered Spider the use of respectable a ways away salvage admission to tools publish-network salvage admission to.
The advisory reflects the U.S. authorities’s push in opposition to ransomware gangs, urging more victims to step ahead for enhanced collective data to call and counter threats.
TTPs feeble
Right here below, now we possess talked about the total TTPs that the Scattered Spider hacker community uses:-
Tools Dilapidated:
- Fleetdeck.io – Enables a ways away monitoring and management of programs.
- Stage.io – Enables a ways away monitoring and management of programs.
- Mimikatz [S0002] – Extracts credentials from a plan.
- Ngrok [S0508] – Enables a ways away salvage admission to to a neighborhood internet server by tunneling over the catch.
- Pulseway – Enables a ways away monitoring and management of programs.
- Screenconnect – Enables a ways away connections to network devices for management.
- Splashtop – Enables a ways away connections to network devices for management.
- Tactical.RMM – Enables a ways away monitoring and management of programs.
- Tailscale – Supplies digital private networks (VPNs) to internet network communications.
- Teamviewer – Enables a ways away connections to network devices for management.
Malware feeble:
- AveMaria (furthermore is called WarZone [S0670]) – Enables a ways away salvage admission to to a victim’s programs.
- Raccoon Stealer – Steals data including login credentials [TA0006], browser historical past [T1217], cookies [T1539], and other records.
- VIDAR Stealer – Steals data including login credentials, browser historical past,
- cookies, and other records.
Domains feeble:
- victimname-sso[.]com
- victimname-servicedesk[.]com
- victimname-okta[.]com
Tactics & Tactics feeble:
Reconnaissance & Helpful resource Building
Preliminary Score entry to & Execution
Persistence, Privilege Escalation, & Defense Evasion
Credential Score entry to & Discovery
Lateral Motion & Sequence
Uncover and Regulate, Exfiltration, and impact
Suggestions
Right here below, now we possess talked about the total suggestions equipped by the cybersecurity researchers:-
- Implement application controls.
- Minimize the possibility of malicious actors.
- Imposing FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-primarily primarily primarily based MFA.
- Strictly limit the use of Far-off Desktop Protocol (RDP) and other a ways away desktop services and products.
- Implement a recovery opinion.
- Retain offline backups of records.
- Require all accounts with password logins ) to conform with NIST’s requirements for constructing and managing password insurance policies.
- Require phishing-resistant multifactor authentication (MFA).
- Set up all working programs, plan, and firmware up so a ways.
- Segment networks.
- Identify, detect, and study odd job and likely traversal of the indicated ransomware with a networking monitoring plan.
- Set up, on a long-established foundation change, and enable exact-time detection for antivirus plan on all hosts.
- Disable unused ports and protocols.
- Inform about including an email banner to emails.
- Disable hyperlinks.
- Make particular all backup records is encrypted and immutable.
Source credit : cybersecuritynews.com