
Scattered Spider Strikes Again: The Group Behind the MGM Attack Launches a New Campaign Targeting the Financial Sector
Indicators of Compromise
APT Groups1
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Recommendations for Enhancing Cybersecurity Against Scattered Spider Threats
The FBI and CISA suggest the following mitigations to strengthen cybersecurity defenses and minimize the risk posed by Scattered Spider actors. These align with the Cross-Sector Cybersecurity Performance Goals (CPGs) from CISA and NIST.
Application Controls and Remote Access Management
Control Software Execution: Implement application controls to allowlist remote access programs and block unauthorized software. This prevents malware that might evade antivirus detection.
Audit Remote Access Tools: Regularly audit and review logs for remote access tools to detect unauthorized use.
Use Security Software: Deploy security software to detect remote access tools loaded in memory. Ensure remote access solutions are used only through approved VPNs or VDIs.
Network Controls: Block remote access software ports at the network perimeter and follow the Guide to Securing Remote Access Software.
Multifactor Authentication (MFA) and Remote Desktop Protocol (RDP)
Implement Robust MFA: Use FIDO/WebAuthn or PKI-based MFA to protect against phishing, push bombing, and SIM swapping.
Limit RDP Usage: Minimize RDP use and follow best practices:
Audit for RDP use.
Close unused RDP ports.
Enforce account lockouts after several failed attempts.
Apply MFA.
Log RDP attempts.
Recovery and Backup Strategies
Develop a Recovery Plan: Keep multiple copies of critical data in separate, secure locations.
Maintain Offline Backups: Regularly update offline backups to mitigate business disruptions.
Password Management and Network Security
Adhere to NIST Password Standards: Use strong, unique passwords, and consider password managers. Avoid password reuse and frequent changes.
Account Security:
Implement lockouts after multiple failed login attempts.
Disable password hints.
Require administrator credentials for software installation.
Additional Security Measures
Phishing-Resistant MFA: Implement MFA for all critical services.
Timely Patching: Keep systems and software updated, prioritizing known vulnerabilities.
Network Segmentation: Segment networks to control and limit the spread of ransomware.
Network Monitoring: Use monitoring tools to detect and log network traffic and lateral movements. EDR tools are particularly effective.
Antivirus Software: Regularly update and enable real-time detection.
Disable Unused Ports: Close unused ports and protocols to reduce attack surfaces.
Email Security: Add banners to external emails and disable hyperlinks.
Secure Backup Data: Ensure backups are encrypted and immutable to protect against data tampering.
Implementing these measures will significantly enhance cybersecurity defenses and mitigate risks from Scattered Spider and similar threats.