Regulation enforcement authorities have allegedly arrested a key member of the infamous cybercrime group referred to as Scattered Spider.
The person, a 22-year-old man from the UK, was arrested this week within the Spanish metropolis of Palma de Mallorca as he tried to board a flight to Italy. The transfer is alleged to be a joint effort between the U.S. Federal Bureau of Investigation (FBI) and the Spanish Police.
Information of the arrest was first reported by Murcia At present on June 14, 2024, with vx-underground subsequently revealing that the apprehended social gathering is “associated with several other high profile ransomware attacks performed by Scattered Spider.”
The malware analysis group additional mentioned the person was a SIM swapper who operated below the alias “Tyler.” SIM-swapping assaults work by calling the telecom service to switch a goal’s cellphone quantity to a SIM below their management with the objective of intercepting their messages, together with one-time passwords (OTPs), and taking management of their on-line accounts.
In line with safety journalist Brian Krebs, Tyler is believed to be a 22-year-old from Scotland named Tyler Buchanan, who goes by the identify “tylerb” on Telegram channels associated to SIM-swapping.
Tyler is the second member of the Scattered Spider group to be arrested after Noah Michael City, who was charged by the U.S. Justice Division earlier this February with wire fraud and aggravated identification theft for offenses.
Scattered Spider, which additionally overlaps with exercise tracked the monikers 0ktapus, Octo Tempest, and UNC3944, is a financially motivated risk group that is notorious for orchestrating refined social engineering assaults to achieve preliminary entry to organizations. Members of the group are suspected to be a part of a much bigger cybercriminal gang referred to as The Com.
Initially targeted on credential harvesting and SIM swapping, the group has since tailored their tradecraft to give attention to ransomware and information theft extortion, earlier than shifting to encryptionless extortion assaults that intention to steal information from software-as-a-service (SaaS) functions.
“Evidence also suggests UNC3944 has occasionally resorted to fear-mongering tactics to gain access to victim credentials,” Google-owned Mandiant mentioned. “These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.”
Mandiant informed The Hacker Information the exercise related to UNC3944 displays some stage of similarities with one other cluster tracked by Palo Alto Networks Unit 42 as Muddled Libra, which has additionally been noticed concentrating on SaaS functions to exfiltrate delicate information. It, nevertheless, emphasised that they “should not be considered the ‘same.'”
The names 0ktapus and Muddled Libra come from the risk actor’s use of a phishing equipment that is designed to steal Okta sign-in credentials and has since been put to make use of by a number of different hacking teams.
“UNC3944 has also leveraged Okta permissions abuse techniques through the self-assignment of a compromised account to every application in an Okta instance to expand the scope of intrusion beyond on-premises infrastructure to Cloud and SaaS applications,” Mandiant famous.
“With this privilege escalation, the threat actor could not only abuse applications that leverage Okta for single sign-on (SSO), but also conduct internal reconnaissance through use of the Okta web portal by visually observing what application tiles were available after these role assignments.”
Assault chains are characterised by means of reputable cloud synchronization utilities like Airbyte and Fivetran to export the info to attacker-controlled cloud storage buckets, alongside taking steps to conduct intensive reconnaissance, arrange persistence via the creation of latest digital machines, and impair defenses.
Moreover, Scattered Spider has been noticed making use of endpoint detection and response (EDR) options to run instructions equivalent to whoami and quser in an effort to check entry to the setting.
“UNC3944 continued to access Azure, CyberArk, Salesforce, and Workday and within each of these applications conducted further reconnaissance,” the risk intelligence agency mentioned. “Specifically for CyberArk, Mandiant has observed the download and use of the PowerShell module psPAS specifically to programmatically interact with an organization’s CyberArk instance.”
The concentrating on of the CyberArk Privileged Entry Safety (PAS) resolution has additionally been a sample noticed in RansomHub ransomware assaults, elevating the likelihood that no less than one member of Scattered Spider might have was an affiliate for the nascent ransomware-as-a-service (RaaS) operation, based on GuidePoint Safety.
The evolution of the risk actor’s techniques additional coincides with its lively concentrating on of finance and insurance coverage industries utilizing convincing lookalike domains and login pages for credential theft.
The FBI informed Reuters final month that it is laying the groundwork to cost hackers from the group that has been linked to assaults concentrating on over 100 organizations since its emergence in Could 2022.
