Scattered Spider pronounced onto the cybersecurity scene in 2022. Since then, it has rapidly grown into a significant threat actor. This group has shown an aggressive and sophisticated use of identity-based TTPs to exploit vulnerabilities. In another example, they drill through multi-factor authentication (MFA) with ease and win by taking control of privileged accounts. In their wake they’ve left piles of stolen data and financial damages amounting to billions for corporations across the globe.
The recent attack on M&S and Co-op show just how damaging Scattered Spider’s tactics can be. They have made successful deployments of ransomware, exfiltrated sensitive data from cloud services, and altered or deleted key security logs to avoid detection. Scattered Spider is what’s known as a “post-MFA” threat actor. They expertly undercut the security measures that companies are counting on to protect themselves.
Scattered Spider leveraged a sophisticated toolkit which included the Advanced Identity Theft Management (AiTM). This tool is what these criminal enterprises use to get around MFA protocols. Moreover, the organization has used phishing pages hosted on Evilginx to support their operations as an attack vector. With these advanced tactics, they can gain unauthorized access with ease. They are often able to conduct their business, largely invisible.
In one high-profile case last month, Scattered Spider demonstrated their cleverness by posing as an IT user. They did manage to persuade an outsourced help desk to reset the credentials. This oversight resulted in hackers stealing a customer loyalty program database from Caesars. The impact of this breach was a jaw-dropping $15 million ransom payment. Just a month later, they again demonstrated their capability by leveraging LinkedIn information to impersonate an employee at MGM Resorts, leading to a data theft of 6 terabytes.
Scattered Spider’s ability to manipulate self-service password reset functionalities for platforms such as Okta or Entra has further amplified their reach. Then they deleted the cloud logs. By filtering suspicious AWS CloudTrail logs to make them look benign and ensuring that they remained active, they evaded alarming their cloud service provider.
It’s clear that Scattered Spider’s activities have taken a severe financial toll. M&S has lost hundreds of millions in profits due to their attacks. This year, the group’s tactics have become all the rage. For bad actors, they provide an easy, repeatable, and scalable method to circumvent security features and obtain access to accounts.
Experts note that Scattered Spider has been able to get around conventional delivery methods, like email. This calculated decision to concentrate their activities increases the efficiency of their phishing campaigns. Their identity-first toolkit is quickly becoming a standard practice among various threat groups, raising concerns about the future of cybersecurity defenses.