• The Federal Bureau of Investigation (FBI) and Cybersecurity & Infrastructure Security Agency (CISA) have jointly issued a cybersecurity advisory in response to recent activity by the threat actor group known as Scattered Spider.
• Scattered Spider is known to target large companies holding sensitive data – including financial services, telecommunications, business process outsourcing, hospitality, and cryptocurrency firms – for ransomware attacks.
• Scattered Spider largely relies upon impersonating IT support professionals and manipulating target company employees into sharing passwords or running malicious executables through remote access software. 

Large companies holding sensitive data – including financial services, telecommunications, business process outsourcing, hospitality, and cryptocurrency firms – as well as their IT helpdesks, are increasingly being targeted by ransomware attacks. The Federal Bureau of Investigation (FBI) and Cybersecurity & Infrastructure Security Agency (CISA) have jointly released a cybersecurity advisory in response to recent activity by the threat actor group known as Scattered Spider. Scattered Spider received significant attention in September 2023 when it launched a ransomware attack against multiple casino operators, the details of which became known in securities filings following the SEC’s adoption of data breach reporting rules for public companies in July 2023. Scattered Spider has re-emerged in recent days launching ransomware attacks against multiple targets in a short span of time. The main details of the advisory are summarized below, though clients should direct their IT professionals to consult the full advisory.

What techniques are Scattered Spider employing?

Scattered Spider operatives have been reported to be posing as company IT or helpdesk staff in order to obtain credentials from employees, or to direct employees to run remote access tools that permit Scattered Spider to access a company network. Because IT support is also frequently offered through the use of remote access tools, Scattered Spider has been able to successfully impersonate IT professionals on a number of occasions. Similarly, Scattered Spider has been making use of multi-factor authentication tools (again utilizing tools that are familiar to employees who frequently utilize tech support) to prompt employees to share passwords and/or run remote access tools.

What can be done to mitigate the threat?

The FBI and CISA recommend the use of the following measures:

• Address the threat of remote access tools:
  • This includes auditing remote access tools on a company network, reviewing logs for execution of remote access software, and requiring only authorized remote access solutions to be used only from within a company network.
• Implementing application controls that manage and control execution of software. The use of “allow-listing” (that is, only allowing pre-defined software to be executed) can block un-listed application execution, including execution of malicious files that are compressed, encrypted, or otherwise obfuscated.
• Implementing multi-factor authentication based on public key infrastructure, which is known to resist the tactics utilized by Scattered Spider.
• Strictly limiting the use of remote desktop protocols and, when using, taking extra precautions such as locking out accounts after a specified number of attempts and logging in remote desktop logins.

• Implementing recovery plans and retaining multiple copies of sensitive data that could be targeted in a ransomware attack, including maintaining offline backups.
• Requiring all accounts with passwords to comply with NIST password standards.
• Requiring phishing-resistant multi-factor authentication for all services to the extent possible. 
• Keeping operating systems, software, and firmware up to date.
• Segmenting networks to prevent the spread of ransomware.
• Monitoring networks for abnormal activity.
• Installing and regularly updating antivirus software. 
• Disabling unused ports and protocols. 
• Ensuring that backup data is encrypted, that it cannot be altered, and that it covers the entire organization’s infrastructure.