Sergey Nivens - stock.adobe.com
Organisations concerned about the possible impact of cyber attacks originating through the threat actor tracked variously as Scattered Spider, UNC3944 and 0ktapus can avail themselves of free worldwide threat briefings available from researchers at cloud detection and response startup Permiso.
Scattered Spider has been active for over a year, but has achieved renewed prominence in the past few weeks with a series of damaging cyber attacks on two high-profile operators of casinos in Las Vegas – MGM Resorts and Caesars Entertainment.
Its current modus operandi appears to centre the targeting of its victims via achieving elevated admin rights within their cloud tenants and then conducting social engineering attacks against their IT helpdesks to achieve persistence.
Besides MGM Resorts and Caesars Entertainment, its victimology includes mostly Fortune 2000 companies in sectors such as hospitality, manufacturing, retail, software and telecoms. Its ultimate goal appears to be to steal intellectual property (IP) and other data for extortion, and it may in some cases act as an affiliate of ransomware-as-a-service (RaaS) provider ALPHV/BlackCat.
Permiso, which tracks the threat actor through its P0 Labs team under the designation LUCR-3, has already supported several organisations that have been attacked by it.
Company co-founder and CEO Jason Martin, who previously worked at FireEye for a number of years, said Permiso was moved to offer free briefings because the group is renowned for being tricky to pin down precisely.
“LUCR-3 (AKA Scattered Spider) is a threat actor group the P0 Labs team has been following closely in the past year. They are orchestrating campaigns across cloud environments that touch not only the cloud hosting providers like [Microsoft] Azure or AWS [Amazon Web Services], but span across identity providers and multiple SaaS environments like CRMs [customer relationship management tools], team collaboration tools, productivity suites and into CI/CD [continuous integration/continuous delivery] pipelines,” explained Martin.
“They cover their tracks meticulously and can be difficult to detect, but we’ve learned a great deal about their TTPs [tactics, techniques and procedures] and want to freely share that with the broader community to help organisations defend against this group.”
A bit part of Scattered Spider’s “success” to date has been something of a deficit in many organisations’ cloud security postures, particularly as they relate to runtime visibility. Martin explained that while point-in-time scanning and snapshot solutions are adept at focusing on the posture of a cloud environment to ensure resources are configured securely to protect against rudimentary attacks, detecting attacks against environments at runtime still presents a significant challenge.
This challenge is magnified by Scattered Spider as it easily and effectively moves across authentication boundaries over the entire attack surface within the cloud, and moreover, because much of its access and activity in the cloud is done through shared credentials like roles and access keys, tracking it to one individual is difficult, and telling a genuine user apart from a cyber criminal is much harder, meaning many of Scattered Spider’s attacks have likely gone undetected until it’s too late.
The use of shared credentials in this way by threat actors is a clear trend at this point. As a recent Crowdstrike report revealed, there has been a significant ramp-up in attempts to steal secret keys and other credential materials via cloud instance metadata application programming interfaces (APIs).
Interested parties can schedule threat briefings with the P0 Labs team at their convenience. These will be led by P0 Labs senior vice-president Ian Ahl, who was formerly head of advanced practices at Google Cloud-backed Mandiant.
Among other things, it will cover the TTPs of the gang, its role in extortion through data theft, and its recent attacks against multiple cloud environments. Ahl will also cover how end-user security teams can develop detections in their own environments based on Scattered Spider’s attack patterns, and other basic steps they can take to prevent breaches and reduce dwell times.
Read more about the Las Vegas cyber heist
- 12 September 2023: Multiple systems at US hotel and casino operator MGM went down in the wake of the incident on 10 September, crippling several of Las Vegas’ most prominent casinos.
- 14 September: The ALPHV/BlackCat ransomware operation claimed responsibility for an attack that forced MGM Resorts to shut down systems at some of Las Vegas’ most popular gambling venues.
- 15 September: Caesars Entertainment, owner of the lavish Roman Empire-themed Caesars Palace casino in Las Vegas, has revealed it also suffered a ransomware attack, and appears to have paid off its hackers.
- 19 September: Okta CISO David Bradbury confirms widespread speculation about the high-profile cyber attacks on two Las Vegas casino operators, revealing that the threat actors responsible had indeed abused its services as they earlier claimed.