Law enforcement authorities have allegedly arrested a key member of the infamous cybercrime group referred to as Scattered Spider.
The particular person, a 22-year-old man from the United Kingdom, was arrested this week within the Spanish metropolis of Palma de Mallorca as he tried to board a flight to Italy. The transfer is claimed to be a joint effort between the U.S. Federal Bureau of Investigation (FBI) and the Spanish Police.
News of the arrest was first reported by Murcia Today on June 14, 2024, with vx-underground subsequently revealing that the apprehended get together is “related to a number of different excessive profile ransomware assaults carried out by Scattered Spider.”
The malware analysis group additional stated the person was a SIM swapper who operated below the alias “Tyler.” SIM-swapping assaults work by calling the telecom provider to switch a goal’s cellphone quantity to a SIM below their management with the purpose of intercepting their messages, together with one-time passwords (OTPs), and taking management of their on-line accounts.
According to safety journalist Brian Krebs, Tyler is believed to be a 22-year-old from Scotland named Tyler Buchanan, who goes by the identify “tylerb” on Telegram channels associated to SIM-swapping.
Tyler is the second member of the Scattered Spider group to be arrested after Noah Michael Urban, who was charged by the U.S. Justice Department earlier this February with wire fraud and aggravated identification theft for offenses.
Scattered Spider, which additionally overlaps with exercise tracked the monikers 0ktapus, Octo Tempest, and UNC3944, is a financially motivated menace group that is notorious for orchestrating refined social engineering assaults to realize preliminary entry to organizations. Members of the group are suspected to be a part of a much bigger cybercriminal gang referred to as The Com.
Initially targeted on credential harvesting and SIM swapping, the group has since tailored their tradecraft to concentrate on ransomware and information theft extortion, earlier than shifting to encryptionless extortion assaults that goal to steal information from software-as-a-service (SaaS) functions.
“Evidence additionally suggests UNC3944 has often resorted to fear-mongering techniques to realize entry to sufferer credentials,” Google-owned Mandiant stated. “These techniques embrace threats of doxxing private data, bodily hurt to victims and their households, and the distribution of compromising materials.”
Mandiant advised The Hacker News the exercise related to UNC3944 reveals some stage of similarities with one other cluster tracked by Palo Alto Networks Unit 42 as Muddled Libra, which has additionally been noticed focusing on SaaS functions to exfiltrate delicate information. It, nonetheless, emphasised that they “shouldn’t be thought of the ‘identical.'”
The names 0ktapus and Muddled Libra come from the menace actor’s use of a phishing package that is designed to steal Okta sign-in credentials and has since been put to make use of by a number of different hacking teams.
“UNC3944 has additionally leveraged Okta permissions abuse methods by the self-assignment of a compromised account to each utility in an Okta occasion to increase the scope of intrusion past on-premises infrastructure to Cloud and SaaS functions,” Mandiant famous.
“With this privilege escalation, the menace actor couldn’t solely abuse functions that leverage Okta for single sign-on (SSO), but in addition conduct inside reconnaissance by use of the Okta net portal by visually observing what utility tiles have been accessible after these function assignments.”
Attack chains are characterised by way of professional cloud synchronization utilities like Airbyte and Fivetran to export the information to attacker-controlled cloud storage buckets, alongside taking steps to conduct in depth reconnaissance, arrange persistence by the creation of latest digital machines, and impair defenses.
Additionally, Scattered Spider has been noticed making use of endpoint detection and response (EDR) options to run instructions reminiscent of whoami and quser with a purpose to check entry to the atmosphere.
“UNC3944 continued to entry Azure, CyberArk, Salesforce, and Workday and inside every of those functions carried out additional reconnaissance,” the menace intelligence agency stated. “Specifically for CyberArk, Mandiant has noticed the obtain and use of the PowerShell module psPAS particularly to programmatically work together with a corporation’s CyberArk occasion.”
The focusing on of the CyberArk Privileged Access Security (PAS) resolution has additionally been a sample noticed in RansomHub ransomware assaults, elevating the likelihood that no less than one member of Scattered Spider might have changed into an affiliate for the nascent ransomware-as-a-service (RaaS) operation, in accordance with GuidePoint Security.
The evolution of the menace actor’s techniques additional coincides with its lively focusing on of finance and insurance coverage industries utilizing convincing lookalike domains and login pages for credential theft.
The FBI advised Reuters final month that it is laying the groundwork to cost hackers from the group that has been linked to assaults focusing on over 100 organizations since its emergence in May 2022.