FBI Warns: Spot These Signs as Scattered Spider Threat Grows

New Malware and Advanced Social Engineering Tactics

The FBI, along with a number of international cyber and law enforcement agencies, has issued a warning about the evolving tactics of the Scattered Spider extortion group. This group has shifted its approach, utilizing more sophisticated social engineering techniques to infiltrate victims' networks. Their primary targets are organizations' Snowflake database credentials, and they have deployed several new ransomware variants, including DragonForce.

Recent attacks by Scattered Spider have targeted various sectors, starting with retailers, then moving on to insurance companies and the aviation industry. The group often poses as employees who are locked out of their accounts, convincing helpdesk workers to provide sensitive information such as login credentials, reset passwords, or transfer multi-factor authentication to devices controlled by the attackers.

While some of the group's methods remain consistent, they frequently change their tactics to avoid detection. The joint advisory encourages critical infrastructure organizations and commercial facilities to implement the mitigation strategies outlined in the report to reduce the risk and impact of Scattered Spider's activities.

In addition to traditional methods, Scattered Spider has incorporated legitimate software like Teleport and AnyDesk for remote access to local systems and network devices. They also use new malware, such as RattyRAT, a Java-based remote access trojan designed for long-term, stealthy access and internal reconnaissance. The latest ransomware variant associated with the group is DragonForce, which was used to target US and UK retailers earlier this year.

However, Scattered Spider does not always deploy ransomware. In some cases, they proceed directly to data theft after gaining initial access to victim systems, exfiltrating sensitive files and threatening to release them unless a large sum is paid. The FBI noted that this includes exfiltration to multiple sites, such as MEGA[NZ] and US-based data centers like Amazon S3.

The security bulletin also highlights new domains used by the group, typically combining the targeted organization's name with either a -helpdesk suffix or a single sign-on service to appear more legitimate. These include domains that mimic helpdesk services or single sign-on platforms.

Scattered Spider often searches for Snowflake access to exfiltrate large volumes of data quickly, running thousands of queries immediately. According to trusted third parties, the group may have deployed DragonForce ransomware onto targeted organizations' networks, encrypting VMware Elastic Sky X integrated (ESXi) servers.

This trend aligns with a recent technical analysis from Google's Mandiant Incident Response team, which notes that Scattered Spider, tracked as UNC3944, is increasingly targeting the ESXi hypervisor layer once they gain access. The attack chain can occur in mere hours, making the threat more dangerous compared to traditional actors who may take days or weeks for reconnaissance.

Charles Carmakal, CTO of Mandiant Consulting, noted that recent arrests of Scattered Spider members have led to a temporary slowdown in their activities. However, he emphasized the importance of organizations using this window to study the group's tactics, assess their systems, and reinforce their security posture.

Despite the arrests, the group has since resumed operations with high-profile retail attacks in April. Carmakal warned that other threat actors, such as UNC6040, are employing similar social engineering tactics. He urged organizations to remain vigilant and not let their guard down completely.

To protect against these threats, the FBI and other agencies recommend three key actions:

1. Maintain offline backups of sensitive data, stored separately from source systems.
2. Implement phishing-resistant multifactor authentication (MFA) and enforce its use.
3. Use application controls to manage software execution.

The advisory was jointly authored by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Royal Canadian Mounted Police, Australian Signals Directorate's Australian Cyber Security Centre, Australian Federal Police, Canadian Centre for Cyber Security, and UK's National Cyber Security Centre.