🛡️🕷️ The Scattered Spider is a fast-growing group of cyber attackers currently on the attack and possibly attributed to the recent attack on M & S - they don't just break in and grab one thing, they like to cause as much chaos as possible and then ask for a ransom.

🕷️Who are they? - they are a group that go by several names.  They are young and mostly english-speaking, which helps make their social engineering techniques believable.  They seem to have a fluid and adaptive structure - 'scattered' which makes it harder for law enforcement to dismantle it.  Even with arrests, they re-group.  They are social engineering experts and target the 'human element' to gain initial access rather than relying solely on technical vulnerabilities.  They are known to partner with other groups for different elements of their attack.

🔐Breaking in - they generally use social engineering to break in by tricking an employee.  This might be through a fake email (phishing) where the person then gives their email credentials.  More recently it is thought they are phoning to ask for password resets while pretending to be an employee (Vishing).

📂 Once Inside - they look around for additional usernames and passwords, to gain more privilege to sensitive areas.  They demonstrate a strong understanding of cloud platforms such as AWS, Azure and Google Workspace, where they are able to create rogue virtual machines, modify firewall rules and exploit data synchronisation services.  They can disable security software and monitor communications, i.e. over MS Teams.

🔍What are they looking for? - data, such as customer information, financial records or important  company secrets.  They will 'hunt' for this data within the systems they have accessed.

💰Ransomware - once they have found the data, they will lock the organisation's systems down by encrypting the data and asking a ransom to decrypt. They often do this by partnering with Ransomware-as-a-Service (RaaS).

🤯Pressure Tactics - Scattered Spider is known for being aggressive. They might threaten to release the stolen data publicly if the ransom isn't paid.

Attacks

It's difficult to attribute attacks to Scattered Spider due to their fluid nature and ongoing investigations.  They are strongly suspected behind:

MGM Resorts International (2023)
M & S Cyber Attack
Caesars Entertainment (2023)
Snowflake Customer Attacks (2024)
Review our previous article: A Wake-Up Call for Cyber Vigilance - Danger in the Threat Landscape for Everyone

What Measures Can Organisations Put in Place?

🙅 Human Measures - Scattered Spider relies heavily on their social engineering techniques and the 'human element'.  So comprehensive security awareness training is key.

🔒Stronger Authentication policies - multi factor authentication everywhere, with the use of conditional access policies.

🪪 Enhance ID security -

        🪪 Implement rigorous identity processes for password reset requests or changes in access or authorisation.

        🪪 Additional training for those with privileged accounts.

        🪪 Consider implementing a physical human check when changes are requested.

🤺Improve Technical Defences -

      🤺Endpoint Detection and Response
   
      🤺Network Segmentation

      🤺Principle of Least Privilege

      🤺Vulnerability Scanning and Patch Management

      🤺Strong Password Policies

      🤺Network Monitoring and Intrusion Detection Systems

☁ Cloud security -strengthen cloud security through configuration and identity management.

📢 Incident Response and Recovery -

     📢 have an incident response and recovery plan that has been well practice.

     📢 Establish clear communication channels.

     📢 Practice.

     📢Implement backup and recovery procedures.

✅ Continuous Monitoring and Improvement -

     ✅ Review the current threat landscape.

     ✅  Adapt and change.

     ✅  Regular audits and testing.

     ✅ Logging of events.