RISKS

What happened

Scattered Spider, a loosely affiliated group of hackers known for using sophisticated social engineering and phishing attacks, is perhaps best known for its late-summer 2023 attacks on Caesars Entertainment and MGM. They established false identities, and used publicly available tools and Ransomware-as-a-Service to circumvent multifactor identity systems, infiltrate a variety of business-critical systems, and
ultimately collect a reported $15 million in ransom. Caesars is also now the subject of a class-action lawsuit by a “significant number” of its 65 million loyalty program members believed to have been impacted by the digital break-in.

The FBI and the Cybersecurity Infrastructure Security Agency (CISA) issued a joint advisory in November that outlined how Scattered Spider does its work. The persistent threat is particularly troublesome because Scattered Spider, also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra, is not a single entity, but an ad hoc group that’s difficult to identify, track and stop.

Why is this important?

Scattered Spider uses a combination of publicly available employee information, voice phishing, multi-factor fatigue and seemingly legitimate tools (and open ports and services) to gain access to business-critical systems. They establish persistent access to networks and sensitive data by creating rogue identities that enable them to linger and move laterally through on-prem and cloud systems.

APPROACHES

In addition to following good security, data-recovery and authentication practices, organizations should implement programs that help employees recognize phishing attacks, the risks of social media oversharing, and how even legitimate tools and services can become weapons for breaches.

Social Engineering – Hackers like Scattered Spider use troves of publicly available personal information to gather data on your employees. That data can be used to help hackers sound legitimate when resetting passwords and systems access through help desks. Social media can be useful and fun, but oversharing is real and dangerous.

Voice Phishing – At a minimum, organizations should train employees on cybersecurity threats and phishing attempts. Rather than relying on email phishing scams, Scattered Spider made real, human-to-human requests – and got away with it.

LESSONS LEARNED

Multi-factor fatigue is a thing – Both employees and those responsible for overseeing identity-control systems go on autopilot and relax their defenses. As a result, they’re less careful and less diligent, allowing hackers to circumvent these systems.

Costs are real and lingering – The immediate costs of lost business, revenue and trust seen by Caesars, MGM and many others are compounded by the potential for lawsuits. Scattered Spider reportedly demanded $30 million in ransom from Caesars, which was losing millions each day from the attack. Cyber Insurance can help in the aftermath.

Sophisticated hacking techniques are for sale – Relatively unsophisticated hackers can take advantage of Ransomeware-as-a-Service to breach systems. Scattered Spider is generally recognized as being a loosely affiliated group of hackers using readily available tools like the BlackCat/ALPHV locker to encrypt system.

RECOMMENDATIONS

Train employees how to spot, avoid and report phishing and voice phishing. Spoofed email addresses, suspicious links, unexpected attachments and providing information to unsolicited callers are prime risks. Develop a culture of vigilance and awareness.

Reduce MFA fatigue by narrowing the scope of your MFA tools, such as limiting the allowed response time and the number of unsuccessful attempts, enforce Least Privilege to give users access to only what they truly need, and increase employee education.

Review your cyber insurance policies and be sure the tabletop exercises you use to test your organization’s response to emergencies include contacting your insurance provider.

Avoid being targeted by off-the-shelf hacks by practicing good vulnerability management, such as limiting the use of high-risk ports and services, keeping systems and software up to date and patched, segment network traffic, and use network monitoring and Endpoint Detection and Response (EDR) tools to detect abnormal activities.

HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.