Scattered Spider Hacker Arrests Halt Attacks But Copycat Threats Sustain Security Pressure

pGoogle Clouds Mandiant Consulting has revealed that it has witnessed a drop in activity from the notorious Scattered Spider group but emphasized the need for organizations to take advantage of the lull to shore up their defensesppSince the recent arrests tied to the alleged Scattered Spider UNC3944 members in the UK Mandiant Consulting hasnt observed any new intrusions directly attributable to this specific threat actor Charles Carmakal CTO of Mandiant Consulting at Google Cloud told The Hacker News in a statementppThis presents a critical window of opportunity that organizations must capitalize on to thoroughly study the tactics UNC3944 wielded so effectively assess their systems and reinforce their security posture accordinglyppCarmakal also warned businesses not to let their guard down entirely as other threat actors like UNC6040 are employing similar social engineering tactics as Scattered Spider to breach target networksppWhile one group may be temporarily dormant others wont relent Carmakal addedppThe development comes as the tech giant detailed the financially motivated hacking groups aggressive targeting of VMware ESXi hypervisors in attacks targeting retail airline and transportation sectors in North AmericappThe US government alongside Canada and Australia has also released an updated advisory outlining Scattered Spiders updated tradecraft obtained as part of investigations conducted by the Federal Bureau of Investigation FBI as recently as this monthppScattered Spider threat actors have been known to use various ransomware variants in data extortion attacks most recently including DragonForce ransomware the agencies saidppThese actors frequently use social engineering techniques such as phishing push bombing and subscriber identity module swap attacks to obtain credentials install remote access tools and bypass multifactor authentication Scattered Spider threat actors consistently use proxy networks T1090 and rotate machine names to further hamper detection and responseppThe group has also been observed posing as employees to persuade IT andor help desk staff to provide sensitive information reset the employees password and transfer the employees multifactor authentication MFA to a device under their controlppThis marks a shift from the threat actors impersonating help desk personnel in phone calls or SMS messages to obtain employee credentials or instruct them to run commercial remote access tools enabling initial access In other instances the hackers have acquired employee or contractor credentials on illicit marketplaces such as Russia MarketppFurthermore the governments called out Scattered Spiders use of readily available malware tools like Ave Maria aka Warzone RAT Raccoon Stealer Vidar Stealer and Ratty RAT to facilitate remote access and gather sensitive information as well as cloud storage service Mega for data exfiltrationppIn many instances Scattered Spider threat actors search for a targeted organizations Snowflake access to exfiltrate large volumes of data in a short time often running thousands of queries immediately per the advisoryppAccording to trusted thirdparties where more recent incidents are concerned Scattered Spider threat actors may have deployed DragonForce ransomware onto targeted organizations networks thereby encrypting VMware Elastic Sky X integrated ESXi serversppJoin our free webinar to master AIpowered workflowspractical steps for secure scalable automationppJoin us this Halloween for a live webinar exposing real password breaches and how to stop themppGet the latest news expert insights exclusive resources and strategies from industry leaders all for freep