A version of this article exists on rAVe [PUBS], written by @Paul Konikowski 

Previously, Konikowski summarized the recent cyberattacks on MGM and Caesars’ casinos. In that article, he dropped some social engineering science and lessons learned from Scattered Spider (aka 0ktapus, UNC3944, Starfraud, Scatter Swine, Muddled Libra and most recently, Octo Tempest). He warned #AVtweeps about their aggressive social engineering Tactics, Techniques and Procedures (TTPs). And he's not the only one getting arachnophobia about Scattered Spider.

On Nov. 15, Reuters reported that the FBI struggled to disrupt the dangerous casino hacking gang Scattered Spider. Michael Sentonas, president of CrowdStrike, was quoted as saying, “For such a small group, they [Scattered Spider] are absolutely causing havoc.”

On Nov. 16, 2023, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) dropped its own science, releasing an advisory on Scattered Spider. Here are some highlights from the advisory, which you can follow to protect you and your organization from hackers like this group.

One of the most valuable takeaways is this list of normally legitimate tools used by the group. Each of these on their own is not suspect, but a combination of them is, and their usage should be closely monitored:

• Fleetdeck.io – Enables remote monitoring and management of systems.
• Level.io – Enables remote monitoring and management of systems.
• Mimikatz – Extracts credentials from a system.
• Ngrok – Enables remote access to a local web server by tunneling over the internet.
• Pulseway – Enables remote monitoring and management of systems.
• Screenconnect – Enables remote connections to network devices for management.
• Tactical.RMM – Enables remote monitoring and management of systems.
• Tailscale – Provides virtual private networks (VPNs) to secure network communications.
• Teamviewer – Enables remote connections to network devices for management.

The advisory explains, “Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs. […]

“To determine if their activities have been uncovered and maintain persistence, Scattered Spider threat actors often search the victim’s Slack, Microsoft Teams and Microsoft Exchange online for emails [T1114] or conversations regarding the threat actor’s intrusion and any security response. The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses. This is sometimes achieved by creating new identities in the environment [T1136] and is often upheld with fake social media profiles [T1585.001] to backstop newly created identities.” […]

“The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on the threat actor activity and to reduce the risk of compromise by Scattered Spider threat actors. […]

• Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. […]
• Reduce threat of malicious actors using remote access tools by:
  • Auditing remote access tools on your network to identify currently used and/or authorized software.
  • Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable.
  • Using security software to detect instances of remote access software being loaded only in memory.
  • Requiring authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
  • Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
  • Applying recommendations in the Guide to Securing Remote Access Software.
• Implementing FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA. These MFA implementations are resistant to phishing and not susceptible to push bombing or SIM swap attacks, which are techniques known to be used by Scattered Spider actors. See CISA’s fact sheet Implementing Phishing-Resistant MFA for more information.
• Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example:
  • Audit the network for systems using RDP.
  • Close unused RDP ports.
  • Enforce account lockouts after a specified number of attempts.
  • Apply phishing-resistant multifactor authentication (MFA).
  • Log RDP login attempts.

In addition, the authoring authorities of this CISA recommend network defenders apply certain mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors. To learn more, click here to read the rest of Konikowski’s article on rAVe [PUBS].