Google Cloud’s Mandiant Consulting revealed that it witnessed a decline in activity from the infamous scattered spider groups, but emphasized the need for organizations to use the lull to strengthen their defenses.
“Since the recent arrests in connection with members of the UK’s scattered spider (UNC3944), Mandiant Consulting has not observed any new intrusions directly attributed to this particular threat actor.”
“This presents a window of important opportunities that organizations must utilize to thoroughly study tactics that will be equipped very effectively, assess systems and enhance security attitudes accordingly.”
Carmakal also warned businesses not to “completely guard down” because other threat actors like UNC6040 violated their target networks with social engineering tactics similar to those scattered spiders.
“Some groups may be temporarily dormant, while others are unforgiving,” Karmakar added.
This development is because it detailed the aggressive targeting of the financially motivated hacking group of VMware ESXi hypervisors in attacks targeting the retail, airlines and transportation sectors in North America.
Alongside Canada and Australia, the US government has released an updated advisory outlining the updated trade assets of scattered spiders obtained as part of an investigation conducted by the Federal Bureau of Investigation (FBI) this month.
“Scattered spider threat actors are known to use a variety of ransomware variants in data horror attacks, including Dragonforce ransomware,” the agency said.
“These actors frequently use social engineering techniques such as phishing, push bombing, and subscriber ID module swap attacks to obtain credentials, install remote access tools, and bypass multi-factor authentication. [T1090] Rotate the machine name to further prevent detection and response. ”
The group has also been observed to be oriented to employees to persuade them, persuade help desk staff, provide confidential information, reset employee passwords, and forward them to devices that manage employee multifactor authentication (MFA).
This indicates a transition from a threat actor who impersonates a help desk person on a phone or SMS message, instructing them to obtain employee credentials or run a commercial remote access tool that allows initial access. In other instances, hackers have qualified as employees or contractors in illegal markets such as the Russian market.
Additionally, the government has called for the use of spiders scattered with easily available malware tools such as Avemaria, Raccoon Stealer, Vidar Stealer, and Ratty Rat to facilitate remote access, collect sensitive information and promote the cloud storage service mega for data removal.
“Many times, scattered spider threat actors search for snowflake access from targeted organizations, quickly removing large amounts of data, and often running thousands of queries quickly,” the advisory.
“According to trustworthy third parties on recent incidents, it is possible that scattered spider threat actors have deployed Dragonforce ransomware on the target organization’s network.
Source link
