Governance & Risk Management , Incident & Breach Response , Patch Management

As Attackers Refine Tactics, 'Speed Matters,' Experts Warn

What Are Effective Strategies for Combating Fast Actors Such as Scattered Spider?
As Attackers Refine Tactics, 'Speed Matters,' Experts Warn
Patch quickly; the hackers are coming. (Shutterstock)

Advanced attackers increasingly feel the need for speed, sometimes requiring "only a couple of hours between compromise and exfiltration" of data.

See Also: Forrester Top 35 Global Breaches Report: Balance Defense with Defensibility

So warn security researchers from Palo Alto's Unit 42 threat intelligence group in a review of major hackers' favorite 2023 strategies for infiltrating organizations, exfiltrating data, crypto-locking systems with ransomware and more.

"Speed matters," said Wendi Whitmore, a senior vice president at Unit 42. "The time between initial compromise and data exfiltration is decreasing. Attackers are sometimes beginning to exfiltrate data in hours, not days. Defenders need to speed up as well."

That includes patching. Unit 42 said one of the top three security weaknesses being exploited by attackers remains unpatched vulnerabilities on internet-facing systems. Based on the hack attacks it investigated last year, these were the five vulnerabilities most often used to gain initial access. One of them is over four years old.

  • CVE-2023-3519 in Citrix NetScaler ADC/Gateway, patched in July 2023
  • CVE-2023-22952 in SugarCRM, patched in January 2023
  • CVE-2021-44228 in Apache Log4j, patched in late 2021
  • CVE-2023-34362 in MOVEit secure file transfer software, patched on May 31, 2023, just days after the Clop group exploited it en masse;
  • CVE-2020-14882 in Oracle WebLogic, patched in November 2020 when it was already being actively exploited

The other two biggest security weaknesses Unit 42 cataloged last year are incomplete security control coverage - especially around endpoint security and extended detection and response tools - and attackers stealing and using legitimate identities, including by stealing session cookies.

Watching How Überhackers Work

Attackers that combine all three tactics can be especially damaging.

Enter the financially motivated hacking group with the codename Muddled Libra, which last year was "by far the most damaging threat actor," tied to over a dozen attacks Unit 42 investigated. Some of these attacks involved ransom demands worth tens of millions of dollars, Unit 42 said.

Also known as Scattered Spider, Octo Tempest and UNC3944, the group's members "are considered experts in social engineering and use multiple social engineering techniques - especially phishing, push bombing, and subscriber identity module (SIM) swap attacks - to obtain credentials, install remote access tools, and/or bypass multi-factor authentication," the FBI and the Cybersecurity and Infrastructure Security Agency said in a joint security alert last November.

Experts said that beginning around the middle of 2023, the group began functioning as an affiliate for the now-defunct Russian-speaking ransomware group Alphv, aka BlackCat, and often exfiltrated stolen data before leaving system crypto-locked and held to ransom.

"The group includes people with strong English language skills, which they use in written and spoken communications," Unit 42 said. "It's possible they speak English as a first language, and it's possible they are located in North America, or even the United States."

Working with BlackCat, by September 2023 the group hit Caesars Entertainment, which paid half of attackers' $30 million ransom demand, and MGM Resorts, which paid no ransom.

Experts say the group has amassed well over 100 victims and regularly uses a variety of tactics for gaining initial access to targets. They include working with initial access brokers, stealing credentials from user systems, gaining access to infrastructure already compromised by an associate and exploiting unpatched vulnerabilities.

"Perhaps the highest-impact access method is scamming the target's IT help desk," Unit 42 said. Regularly used tactics include requesting password changes and changing a mobile phone number, often backed by a "sob story." In some cases, the group keeps calling back as it identifies additional accounts to target.

"In one case that Unit 42 worked, the attackers successfully hoodwinked the help desk three separate times," it said.

Often, the attackers impersonate the IT help desk, to steal one-time codes a victim receives or to trick them into installing remote management and monitoring tools, which they use to infect victims with ransomware, the FBI and CISA's joint advisory says.

Last year, the group "indiscriminately leveraged dozens of RMM tools for lateral movement across numerous intrusions," including "open source RMM utilities like RustDesk and newer utilities like FleetDeck," says a new report from cybersecurity firm Red Canary. It said an effective strategy to combat the use of RMM tools would likely center on enforcing allowlists and blocklists for applications permitted to run on users' systems.

After they gain access to a victim's network, members of Scattered Spider may lurk in their environment and study a target's Slack, Microsoft Teams or email for signs their intrusion has come to light. "The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses," the joint advisory says.

Attackers May Be Eavesdropping

Experts regularly recommend keeping abreast of tactics used by groups such as Scattered Spider and reviewing defenses to ensure they can cope. "Thwarting Muddled Libra requires interweaving tight security controls, diligent awareness training and vigilant monitoring," Unit 42 said in a blog post.

The researchers particularly recommend having baselines of typical activity and configurations, especially to spot unexpected changes in infrastructure, dormant accounts becoming active, a sharp increase in remote management tool usage, a sudden surge in multifactor authentication push requests, or the sudden appearance of red-team tools in the environment (see: Block This Now: Cobalt Strike and Other Red-Team Tools).

"If you see red-teaming tools in your environment, make sure there is an authorized red-team engagement underway," Unit 42 said. "One SOC we worked with had a company logo sticker on the wall for each red team they'd caught."

Some effective defenses involve a heavy dose of process and procedure, rather than just technology. Especially with MFA and someone who appears to have lost their phone and is trying to reenroll, which shouldn't happen often, "put additional scrutiny on changes to high-privileged accounts," Unit 42 said. "Consider a policy that requires live visual and audible verification with a third party, such as the requestor's direct supervisor." Even though this might slow down approvals, these tactics can empower employees to resist attackers' attempts to pressure them.

As defenders close gaps, attackers often innovate. Scattered Spider started 2023 with a focus "on phishing and social engineering the end users themselves," Unit 42 said. "As time went on, they moved toward taking over their accounts by social engineering the IT helpdesk or by abusing self-service password reset procedures" and by much more quickly moving from initial access to their objective.

Who knows what 2024 might hold?


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.