Who is Scattered Spider? The fast-rising cyber gang behind the MGM attacks
Scattered Spider is a US-UK cyber gang that has been around for two years now and has become infamous for SMS phishing and phone-based social engineering. In the short period that it’s been in existence, the group has already managed to hit over 100 companies with its latest victim being the MGM Resorts in Vegas.
Scattered Spider has already claimed responsibility for the attack on the Vegas hotel and entertainment giant that forced them to shut down large parts of their internal network for several days.
From this recent attack it seems the gang has upgraded their tactics to now include data-stealing ransomware, and according to security firm, Mandiant, it’s just the beginning.
"These changes in their end goals signal that the industries targeted by UNC3944 (Scattered Spider) will continue to expand," Mandiant wrote in its recent analysis of the group’s evolving tactics.
The security firm noted that Scattered Spider have broadened their target from beyond telecommunication and business process outsourcer (BPO) companies to a wide range of industries including hospitality, retail, media and entertainment, and financial services.
The group’s first major phishing campaign was in 2022 when they went after businesses using Okta for authentication. In the attack, Scattered Spider used text messages to send their targets to fake company authentication pages allowing them to steal 9,931 user credentials and 5,441 multi-factor authentication codes.
Mandiant says it has identified three main phishing kits used by the cyber gang including one called Eightbait that was used between late 2021 to mid-2022 to send harvested credentials to an attacker-controlled Telegram channel and deploy remote-desktop tool AnyDesk to a victim's system.
Scattered Spider then ditched it for another kit they built using scraped copies of targeted companies' authentication pages.
The third kit emerged in mid-2023 and Mandiant says the gang uses it in conjunction with the second iteration. “Both are similar, but minor changes to the kit's code suggest that the theme used by the second kit was probably retrofitted into a new tool," the security team from Mandiant said.
The crew has also tried to obtain credentials stored in private GitHub repositories using publicly available tools, such as Trufflehog and GitGuardian. In one case, it even used MicroBurst, an open-source Azure penetration-testing tool to steal credentials from an Azure tenant.
Some other information-stealing tools the group has been known to use include Ultraknot, Vidar and Atomoic.
Once the gang has access to a company’s system, they then use legit everyday software to explore and monitor the network as they look for ways to escalate privilege and access confidential data.