-helpdesk or a type of SSO to add credibility.In some instances, Scattered Spider members purchase employee or contractor credentials on illicit marketplaces to gain access. More commonly, they search business-to-business websites to gather information about specific individuals. Once they identify usernames, passwords, personally identifiable information (PII), and conduct SIM swapping (transferring a victim’s phone number to a SIM card they control), they then use “layered” social engineering techniques that occur over several calls.These moves are designed to learn the steps needed to conduct password resets, gather the targeted employee’s password reset information, and conduct spear phishing calls to convince help desk personnel to reset passwords and/or transfer MFA tokens so they can take over accounts.Later, to determine whether their activities have been detected, the threat actors often search the organization’s Slack, Microsoft Teams, and Microsoft Exchange Online for discussions of the attack and the subsequent security response. They also create new identities in these environments, backed up by fake social media profiles, and frequently join incident remediation and response calls and teleconferences. This helps them understand how security teams are hunting them.Scattered Spider is so pervasive “because it uses advanced and aggressive social engineering that gets around most defenses,” said Roger Grimes, a data-driven defense evangelist at cybersecurity company KnowBe4.
Avoid getting ensnared in Scattered Spider’s web: In response to the group’s new tactics, CISA advises enterprises to look for “risky logins” in environments where sign-in attempts have been flagged as suspicious or unusual. Other important cybersecurity practices include:
Enforce phishing-resistant MFA.Implement application controls to manage and control software execution, including allowlisting remote access programs.Audit remote access tools to identify currently used and/or authorized software.Review logs for execution of remote access software to detect abnormal use.Only permit authorized remote access tools to be used within a network over approved mechanisms such as virtual private networks (VPNs) or virtual desktops.Block inbound and outbound connections on common remote access ports and protocols.Strictly limit the use of remote desktop protocol (RDP) and other remote desktop services.Given that the group’s social engineering techniques can get around most defenses, experts emphasize the importance of building a holistic cybersecurity culture, rather than just relying on tools.”CISO’s can’t buy a Blinky box to mitigate Scattered Spider.” said David Shipley of Beauceron Security. “It requires building aware and engaged teams to recognize social engineering, positive security cultures, and robust, assertive help desk authentication procedures that are tested at least monthly by red teams.”KnowBe4’s Grimes noted that many defense guides, including those from CISA, “barely mention” how to best defeat social engineering, which is, he said, better security awareness training. “So, people concentrate on the wrong things and then wonder why Scattered Spider is so successful.”He advised: “Don’t use easily phishable MFA, and that’s most MFA.” His suggestions for phishing-resistant MFA: NIST, FIDO2, 1Kosmos, AuthN by IEEE, Beyond Identity, IDEE, Google Advanced Protection Program, HYPR, and idenprotect.SANS’ Ullrich noted that enterprises too often rely on third-party vendors to offer critical security functions such as identity and access control. As a result, it can be difficult to make quick tactical changes to fight current threats. Detailed insight into authorization activity can be limited, slowing or preventing proper detection and mitigation, while modern decomposed networks make detailed monitoring “almost impossible.”Internal expertise is optimal, he said; but barring that, enterprises should promote a strong employee reporting system. “Successful awareness training often emphasizes reporting features over more old-fashioned anti-phishing training,” said Ullrich.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4031736/tangled-in-the-web-scattered-spiders-tactics-changing-to-snare-more-victims.html
