Scattered Spider: Emerging threats in the retail sector

Who is Scattered Spider? 

Scattered Spider is a financially driven Threat Actor Group, known under different aliases such as 0ktapus, Scatter Swine, UNC3944 and Octo Tempest. It has targeted major organisations across various verticals including telecommunications, finance, hospitality, technology and most recently, retail. 

Since its activity began in May 2022, Scattered Spider has been known to engage in data theft, extortion, ransomware attacks and cryptocurrency theft. Orpheus Cyber has stated that Scattered Spider's methods have included social engineering, SIM swapping, MFA fatigue and adversary-in-the-middle (AiTM) techniques. It utilises tools such as Mimikatz, TruffleHog and Ngrok for lateral movement and persistence, and infostealers like Racoon and VIDAR for data theft. The group began with smaller efforts aimed at individuals, before moving on to SIM swap exercises to steal cryptocurrency from high value victims. 

Despite several arrests in the US, UK and Spain, Scattered Spider continues to operate and has been linked to ransomware groups like RansomHub, Qilin and more recently, DragonForce. This tends to be uncommon in cyber security, as we often see that Threat Actors are warned off by arrests and activity tends to reduce. Often the groups are more fearful of being caught by authorities, which then leads to a fade in their operations, even if temporarily. That fact that Scatted Spider persists despite these arrests, should and has raised alarms about its capabilities. 

 Targeted sectors and methods 

Scattered Spider has primarily targeted sectors such as telecommunications, finance, hospitality, technology and retail. It has often gained access through social engineering, impersonating employees or IT staff to deceive helpdesk employees into resetting credentials or bypassing MFA. Orpheus Cyber has mentioned that once these Threat Actors have initial access, they then move quickly from identity providers to internal systems, focussing on compromising privileged accounts and disabling security controls. 

Some easy-to-implement, yet effective protective measures are: 

• Enforcing least privilege, as any device or account with additional access that isn’t required, poses a risk when in the wrong hands. In turn, this also reduces the chances of privilege escalation due to less exploitable capabilities being present. 

• Monitor appropriate log sources, ensuring they are available for investigations and use behavioural analytics (UEBA) where possible. The most important log sources would be Firewalls, Authentication logs (Such as EntraID), IPS tooling and endpoints. UEBA links and correlates normal user activity against attackers’ intentions. The considered events are generally login time, location, device, access patterns, failed logins and peer groups. 
• Ensuring strict helpdesk verification for any identity related cases. Sophisticated social engineering attempts are being utilised by Scattered Spider to trick helpdesk administrators, who unknowingly give attackers access to targeted accounts. Any multi-factor authentication should be using SMS as a last resort, as it is the easiest to intercept. Instead use rolling codes through an authentication app, or even better, a security key. 

Softcat offers a wide range of cyber security solutions to support your organisation. You can find out more here.