Scattered Spider, the crew behind at least one of the recent Las Vegas casino IT security breaches, has already hit some 100 organizations during its so-far brief tenure in the cybercrime scene, according to Mandiant.
Further, as also witnessed in the ongoing MGM Resorts network outage, the gang, known for its social-engineering-based attacks, is now throwing data-stealing ransomware at victims, too.
In its analysis this week into Scattered Spider’s evolving tactics, Mandiant says the “expansion in the group’s monetization strategies” began in mid-2023. That write-up should be useful for IT defenders: it details mitigations, advice, and indicators of compromise to look out for.
The Google-owned threat intel firm tracks Scattered Spider as UNC3944. Its comments on the crime gang are significant because Mandiant is one the top incident response teams called in to clean up the messes made by such high-profile intruders.
“These changes in their end goals signal that the industries targeted by UNC3944 will continue to expand,” the analysis says. “Mandiant has already directly observed their targeting broaden beyond telecommunication and business process outsourcer (BPO) companies to a wide range of industries including hospitality, retail, media and entertainment, and financial services.”
Scattered Spider, which has been around for about two years, is a US-UK-based Lapsus$-like gang that specializes in SMS phishing and phone-based social engineering that it uses to steal login credentials belonging to employees of targeted organizations or otherwise ultimately sneak into IT networks of its targets without permission.
In one of the group’s first major phishing campaigns in 2022, dubbed Oktapus, the criminals initially went after employees of Okta customers, targeting as many as 135 orgs — IT, software development and cloud services providers based in the US.
First, Scattered Spider sent text messages to the employees with malicious links to sites spoofing their company’s authentication page. This allowed the gang to steal some 9,931 user credentials and 5,441 multi-factor authentication codes, we’re told.
Just last month, the crew targeted more Okta customers, this…