Scattered Spider Retail Attacks: A Growing Concern for the US
Google's Threat Intelligence Group (GTIG) has sounded the alarm on a new wave of ransomware attacks targeting high street stores in the United States. According to GTIG chief analyst John Hultquist, retailers in the US are under attack from Scattered Spider, an English-speaking hacking collective suspected of being behind the series of DragonForce ransomware attacks on Marks & Spencer (M&S) and Co-op in the UK.
GTIG and its cohorts at Google Cloud's Mandiant threat intel unit are still investigating the cyber attacks, but they suspect that UNC3944, also known as Scattered Spider, is behind the operations. The gang has a history of targeting a single sector at a time, and GTIG anticipates they will continue to target retail in the near term.
Scattered Spider is described by Hultquist as aggressive, creative, and highly adept at circumventing even the most mature security programs and defences. They have had success with social engineering techniques, using third parties to gain entry into their targets. Mandiant has provided a hardening guide based on its experience with Scattered Spider's tactics and steps organizations can take to defend themselves.
Identity Verification: The First Line of Defence
Mandiant emphasizes the importance of hardening identity verification and authentication practices as the first line of defence against Scattered Spider. Social engineering techniques have proven highly effective for the gang, who impersonate users contacting their victims' IT helpdesks.
Helpdesk staff need additional training to positively identify inbound contacts using methods such as on-camera or in-person verification, government ID verification, or challenge and response questions. Security teams should also consider temporarily disabling or enhancing validation for self-service password resets, routing these and multi-factor authentication resets through manual helpdesk workflows.
Employees should be made to authenticate prior to changing authentication methods, such as adding a new phone number. Additional safeguards can include requiring changes to be made from trusted office locations, using out-of-band verification, or banning SMS, phone call, or email as authentication controls.
The Commoditization of Compromise
Nic Adams, co-founder and CEO at 0rcus, a security automation platform, says that the identities of victims are largely irrelevant given the commoditization of the threat chain. "Whether DragonForce, Scattered Spider or a shared affiliate ring executed the intrusion is irrelevant," he said.
"Who the hell cares? An overlap in TTPs proves the industrialisation of compromise. Threat actors don't need advanced exploits. Simply put, organisational blindness to behavioural anomalies, lax identity workflows, IT helpdesks that treat social engineering as a customer service moment," Adams added.
The Breach-Point
"Phishing, cred abuse, Cobalt Strike, LOTL movement, SystemBC tunnels, Mimikatz extractions, data staging to MEGA is now a commodity kill chain. What came after was orchestration: full access, lateral expansion, data exfiltration, selective encryption, ransom leverage," said Adams.
"The next breach will follow the same path," he warned. "One-click, credential, absent defence layer. Another billion in market cap evaporated."
Organizations at Risk
M&S insurance claim is likely to top £100m following the ransomware attack, with Allianz and Beazley particularly exposed. The retailer has already lost tens of millions of pounds as a result of the cyber attack, which has left its food supply chains in disarray.
Takeaways
- Organizations should take steps to strengthen identity verification and authentication practices to defend against Scattered Spider's tactics.
- Implementing additional safeguards such as requiring changes to be made from trusted office locations, using out-of-band verification, or banning SMS, phone call, or email as authentication controls can help prevent breaches.
- The commoditization of compromise highlights the importance of organizational awareness and training in preventing cyber attacks.