As you may have read in our November Ransomware Review, Scattered Spider is a relatively new, albeit dangerous, ransomware gang who made headlines in September for attacking MGM Resorts and Caesar Entertainment. For small security teams, one of the most important findings about the group is their use of Living Of The Land (LOTL) techniques to avoid detection: Scattered Spider aka Octo Tempest employs everyday tools like PowerShell for reconnaissance and stealthily alters network settings to bypass security measures. They also exploit identity providers and modify security systems, blending their malicious activities with normal network operations.

In a joint cybersecurity advisory (CSA) on Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) provided detailed information about the techniques leveraged by Scattered Spider. The advisory was issued in response to the recent activity by Scattered Spider against the commercial facilities sector and subsectors.

CISA and the FBI consider Scattered Spider to be experts that use multiple social engineering techniques, especially phishing, push bombing, and SIM swap attacks, to obtain credentials, install remote access tools, and bypass multi-factor authentication (MFA).

Push bombing is a targeted MFA attack in which an attacker triggers multiple login attempts against the target’s single-sign-on (SSO) portal or publicly exposed corporate apps and services. The objective is that the target will grow tired of the notifications or make a mistake and allow the access.

SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number. This can be done in a number of ways, but one of the most common methods involves tricking the target’s phone carrier into porting the phone number to a new SIM under the control of the attacker.

Scattered Spider is a group that typically targets large companies and their contracted information technology (IT) help desks. To lend credibility to their phishing mails they often register domains like victimname-sso[.]com, victimname-servicedesk[.]com or victimname-okta[.]com.

Once the groups establish access, Scattered Spider often searches the victim’s Slack, Microsoft Teams, and Microsoft Exchange online for emails or conversations regarding the intrusion, along with any security response to see if their attack has been discovered.

The advisory describes how elaborate these efforts can be:

“The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses.”

According to several sources, Scattered Spider has a relationship to ALPHV/BlackCat and has recently started using their ransomware for data exfiltration and file encryption.

The FBI seemingly struggles to arrest group members, even though they’re believed to be based in the US and other Western countries, because victims don’t come forward and share details about their incidents. For that reason, the FBI and CISA have urged victim organizations to share information about attacks with the agencies.

Another initiative that may hinder Scattered Spider’s tactics is the fact that the US Federal Communications Commission (FCC) has adopted new rules to protect US consumers from SIM-swapping attacks and port-out scams. These new rules require US wireless providers to use secure methods of authenticating a customer when they request porting a SIM card to a new device or their phone number to a new carrier.

How to avoid ransomware

Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.

Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.

Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.

Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.

Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.

Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Malwarebytes – ​Read More

Technology is now an indispensable part of student life, used for everything from socialising and calling home, to writing and researching essays. Unfortunately, that makes students taking their first steps into adult life a prime target for cybercrime.

But how can you be sure the Wi-Fi network you’re connecting to at your library or local coffee shop is safe? What about when you’re inside college walls? More than that, your social media accounts likely hold a lot of information about you, information you don’t want to get into the wrong hands.

It’s hard to know who to trust online, and one click on a dodgy link could lead to compromised accounts, identity theft or even malware.

And, as one student we spoke to said “Nothing is worse than losing a school essay”.

We know you need to protect yourself and your important files online, but we also know that you’re probably feeling strapped for cash at the moment.

We’ve got good news. Malwarebytes is now offering 50% off our products to students, wherever you are in the world.

Here’s what we can help with:

Protect your important essays from ransomware and other nasties with Premium Security

Help you shop online safer, with protection against infected ad and credit card skimmers in Browser Guard

Keep your identity safe and protect your social media accounts with Identity Theft Protection

Block trackers and ads with Browser Guard

Work safely in coffee shops, libraries and other public places with Privacy VPN

Game faster and in peace while staying protected by using Play mode to suspend notifications

Find out more and see pricing on our student discount page.

Malwarebytes – ​Read More