Campaigns
Scattered Spider Strikes Again: The Group Behind the MGM Attack Launches a New Campaign Targeting the Financial Sector

Scattered Spider Strikes Again: The Group Behind the MGM Attack Launches a New Campaign Targeting the Financial Sector

ScatteredSpiderBlack Cat/ALPHVMGM ResortsFinancial Sector
Scattered Spider, a hacking group previously linked to cyberattacks on MGM Resorts and Clorox, has recently shifted its focus to the financial sector. This cybercriminal group employs sophisticated techniques including social engineering, data theft, and ransomware to target banks and insurance companies. The FBI and CISA have issued advisories warning about the group's methods, which include the deployment of ransomware such as BlackCat/ALPHV to encrypt and extort their targets.

Indicators of Compromise

aflac-hr.com
on-sinch.com
uscellular-hr.com
rbxhr.net
victimname-okta.com
connect-sso.com
www.truecorphr.net
zen-sso.com
fireblocks-sso.com
privacy.sexy
vz-hr.com
www.aflac-hr.com
grubhubsso.com
gitlabsso.com
uscellularhr.com
gitlabhr.com
schedule.mgmresorthotels.com
walmartsso.com
uscell.net
marsh-hr.com
usccplus.com
allstate-hr.com
sinchdev.com
athene-usa.com
bell-hr.com
square-sso.com
bn-sso.com
sec-sso.net
truecorphr.net
applesso.com
mgmresorts-okta.com
victimname-servicedesk.com
linkedinsso.com
cellularhr.com
cellularsso.com
costsso.com
zendesklt.com
uscchr.com
usinfo1.net
walmartworkspace.com
roblox-hrs.com
victimname-sso.com

APT Groups1

SCATTERED SPIDER
Storm-0971OktapusMuddled LibraScatter SwineScattered SwineOcto Tempest0ktapusDEV-0971UNC3944

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Recommendations for Enhancing Cybersecurity Against Scattered Spider Threats

The FBI and CISA suggest the following mitigations to strengthen cybersecurity defenses and minimize the risk posed by Scattered Spider actors. These align with the Cross-Sector Cybersecurity Performance Goals (CPGs) from CISA and NIST.

Application Controls and Remote Access Management

  1. Control Software Execution: Implement application controls to allowlist remote access programs and block unauthorized software. This prevents malware that might evade antivirus detection.

  2. Audit Remote Access Tools: Regularly audit and review logs for remote access tools to detect unauthorized use.

  3. Use Security Software: Deploy security software to detect remote access tools loaded in memory. Ensure remote access solutions are used only through approved VPNs or VDIs.

  4. Network Controls: Block remote access software ports at the network perimeter and follow the Guide to Securing Remote Access Software.

Multifactor Authentication (MFA) and Remote Desktop Protocol (RDP)

  1. Implement Robust MFA: Use FIDO/WebAuthn or PKI-based MFA to protect against phishing, push bombing, and SIM swapping.

  2. Limit RDP Usage: Minimize RDP use and follow best practices:

    • Audit for RDP use.

    • Close unused RDP ports.

    • Enforce account lockouts after several failed attempts.

    • Apply MFA.

    • Log RDP attempts.

Recovery and Backup Strategies

  1. Develop a Recovery Plan: Keep multiple copies of critical data in separate, secure locations.

  2. Maintain Offline Backups: Regularly update offline backups to mitigate business disruptions.

Password Management and Network Security

  1. Adhere to NIST Password Standards: Use strong, unique passwords, and consider password managers. Avoid password reuse and frequent changes.

  2. Account Security:

  • Implement lockouts after multiple failed login attempts.

  • Disable password hints.

  • Require administrator credentials for software installation.

Additional Security Measures

  1. Phishing-Resistant MFA: Implement MFA for all critical services.

  2. Timely Patching: Keep systems and software updated, prioritizing known vulnerabilities.

  3. Network Segmentation: Segment networks to control and limit the spread of ransomware.

  4. Network Monitoring: Use monitoring tools to detect and log network traffic and lateral movements. EDR tools are particularly effective.

  5. Antivirus Software: Regularly update and enable real-time detection.

  6. Disable Unused Ports: Close unused ports and protocols to reduce attack surfaces.

  7. Email Security: Add banners to external emails and disable hyperlinks.

  8. Secure Backup Data: Ensure backups are encrypted and immutable to protect against data tampering.

Implementing these measures will significantly enhance cybersecurity defenses and mitigate risks from Scattered Spider and similar threats.

Reports & References1

Observed Countries250

AD (994)
AE (619)
AF (465)
AG (356)
AI (447)
AL (329)
AM (399)
AO (240)
AQ (755)
AR (183)
AS (575)
AT (495)
AU (545)
AW (766)
AX (276)
AZ (877)
BA (421)
BB (809)
BD (802)
BE (885)
BF (889)
BG (239)
BH (150)
BI (132)
BJ (739)
BL (717)
BM (252)
BN (825)
BO (193)
BQ (595)
BR (601)
BS (821)
BT (135)
BV (326)
BW (608)
BY (580)
BZ (565)
CA (947)
CC (424)
CD (78)
CF (114)
CG (338)
CH (917)
CI (47)
CK (194)
CL (307)
CM (499)
CN (855)
CO (232)
CR (822)
CU (526)
CV (119)
CW (346)
CX (703)
CY (388)
CZ (150)
DE (505)
DJ (533)
DK (839)
DM (930)
DO (51)
DZ (768)
EC (898)
EE (41)
EG (258)
EH (620)
ER (614)
ES (992)
ET (795)
FI (327)
FJ (523)
FK (173)
FM (325)
FO (357)
FR (314)
GA (808)
GB (1)
GD (149)
GE (407)
GF (404)
GG (624)
GH (522)
GI (189)
GL (413)
GM (716)
GN (203)
GP (998)
GQ (611)
GR (277)
GS (649)
GT (829)
GU (554)
GW (128)
GY (822)
HK (247)
HM (523)
HN (944)
HR (253)
HT (266)
HU (755)
ID (813)
IE (189)
IL (713)
IM (843)
IN (680)
IO (306)
IQ (278)
IR (886)
IS (971)
IT (639)
JE (116)
JM (862)
JO (377)
JP (655)
KE (750)
KG (284)
KH (946)
KI (498)
KM (235)
KN (799)
KP (517)
KR (377)
KW (769)
KY (973)
KZ (180)
LA (26)
LB (404)
LC (513)
LI (390)
LK (948)
LR (124)
LS (19)
LT (29)
LU (625)
LV (594)
LY (524)
MA (638)
MC (915)
MD (138)
ME (54)
MF (22)
MG (923)
MH (246)
MK (840)
ML (23)
MM (693)
MN (348)
MO (275)
MP (604)
MQ (57)
MR (555)
MS (278)
MT (666)
MU (286)
MV (786)
MW (456)
MX (915)
MY (579)
MZ (425)
NA (220)
NC (369)
NE (487)
NF (883)
NG (305)
NI (496)
NL (85)
NO (264)
NP (650)
NR (567)
NU (630)
NZ (444)
OM (55)
PA (797)
PE (319)
PF (498)
PG (400)
PH (634)
PK (849)
PL (211)
PM (402)
PN (145)
PR (104)
PS (876)
PT (141)
PW (680)
PY (457)
QA (612)
RE (195)
RO (776)
RS (767)
RU (799)
RW (890)
SA (942)
SB (83)
SC (575)
SD (622)
SE (89)
SG (950)
SH (571)
SI (237)
SJ (215)
SK (312)
SL (383)
SM (543)
SN (925)
SO (485)
SR (965)
SS (825)
ST (580)
SV (984)
SX (803)
SY (916)
SZ (965)
TC (949)
TD (91)
TF (185)
TG (19)
TH (970)
TJ (824)
TK (677)
TL (296)
TM (812)
TN (514)
TO (618)
TR (872)
TT (550)
TV (291)
TW (841)
TZ (838)
UA (728)
UG (383)
UM (783)
US (473)
UY (925)
UZ (129)
VA (5)
VC (216)
VE (134)
VG (870)
VI (553)
VN (720)
VU (188)
WF (19)
WS (935)
XK (409)
YE (67)
YT (292)
ZA (784)
ZM (543)
ZW (902)