Ransomware, Threat Intelligence, Security Staff Acquisition & Development

‘One of the most dangerous financial criminal groups’ responsible for MGM cyberattack

Exterior view of the MGM Grand Casino on the Las Vegas Strip.

Click for more special coverage

Scattered Spider, the threat gang responsible for recent attacks against MGM International and Caesars Entertainment, amongst others, has been described by Microsoft as “one of the most dangerous financial criminal groups."

In an Oct. 25 post, Microsoft’s threat intelligence team detailed what it describes as Scattered Spider’s “extensive range” of tactics, techniques, and procedures (TTPs), saying the gang “crosses boundaries to facilitate extortion, encryption, and destruction.”

Scattered Spider’s destructive capabilities were on full display in Las Vegas in September when it crippled multiple IT systems across several MGM properties in a sprawling attack that exposed customer data and cost the company around $100 million.

Tracked by Microsoft as Octo Tempest, and also known as 0ktapus and UNC3944, the gang began deploying ALPHV/BlackCat ransomware in the middle of this year and has focused its attacks on VMware ESXi servers.

As well as having an extensive arsenal of TTPs that enable it to successfully attack complex hybrid environments, Scattered Spider’s prowess is further enhanced by its ability to carry out what Microsoft calls “social engineering with a twist.”

“The threat actor performs research on the organization and identifies targets to effectively impersonate victims, mimicking idiolect on phone calls and understanding personal identifiable information to trick technical administrators into performing password resets and resetting multifactor authentication (MFA) methods,” the threat intelligence team said.

“These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access.”

Scattered Spider's native English speakers effective in launching social-engineering campaigns

Microsoft’s post included screenshots of text messages sent to a victim of the gang, threatening to dispatch a shooter to their home if they did not provide their login credentials.

Delinea cybersecurity evangelist Tony Goulding said organizations should be very concerned about the group’s blend of sophisticated techniques, the broad scope of industries it targeted, and its aggressive approach.

“Being native English speakers, they can more effectively launch wide-ranging social-engineering campaigns compared to BlackCat,” he said.

“We have worked 17 engagements in the past three months involving this threat actor, and the most dangerous element is their expertise in almost every known technology solution on the planet,” said Fenix24 co-founder Heath Renfrow.

“They leverage this expertise to gain entry into environments and then compromise virtually everything, much more quickly than traditionally seen.”

Expect to be tracked, taunted and threatened

Microsoft warned network defenders that Scattered Spider’s use of social engineering and living-off-the-land techniques, together with its strong capabilities across a wide range of toolsets, could necessitate a “slight unorthodox” approach to hunting the group.

The post outlined a detailed hunting methodology, including centralizing visibility of any administrative changes in the environment and scrutinizing changes to administrator groups, roles and privileges.

Phishing-resistant MFA should be required for all administrator accounts, the researchers said.

They also warned the group had been observed joining, recording and transcribing calls, and sending messages, on its victim’s corporate communications platforms. This activity was used to taunt and threaten staff, and to gain insights into incident response operations and planning.

“Using out-of-band communication channels is strongly encouraged when dealing with this threat actor,” Microsoft said.

Critical Start cyber threat research senior manager Callie Guenther said regular cybersecurity training for employees, focused on evolving social engineering tactics, should be part of an organization’s holistic defense strategy.

“Adhering to the principle of least privilege ensures restricted access, and encrypted communications can safeguard sensitive exchanges. Above all, a well-defined and rehearsed incident response plan is crucial to counter unexpected breaches effectively,” Guenther said.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.