Creeping like a spider. [Research Saturday]

Dave Bittner

You're listening to the Cyberwire Network powered by N2K. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indee indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

George Glass

Well, we've been tracking Scattered Spider for a number of years now. We refer to them internally as KTA243. We track it more as a associated group of individuals that tend to use social engineering. We've been tracking them since about at least 2023, but this year they've obviously made quite a bit of a splash, especially here in the UK with their attacks on UK retail, and since then moving on to the insurance industry and most recently the aviation sector as well.

Dave Bittner

That's George Glass, Associate Managing Director of Kroll's Cyber Risk Business. The research we're discussing today concerns Scattered SP and their targeting of insurance companies. Well, for folks who might not be familiar with Scattered Spider, can you give us a little bit of the history and how they've become so prominent?

George Glass

Yes, of course. The group is loosely affiliated with a online community referred to as the Common and it's essentially a group of cybercrime actors. Many of them are recruited from Roblox, Minecraft, things like that. Many of them may have been victims of cybercrime themselves and that's how they get integrated into this group. More recently the group has been demonstrating their capabilities with social engineering with a lot more effect, especially targeting call centers for password resets and things like that. And they've also shown that they are more than happy to use ransomware now, which I think is a fairly big change up since when we first started tracking the group. So certainly open to change and makes them more all the more interesting for the tracking.

Dave Bittner

And what is their general goal here? Are they looking to profit? Is it an espionage group? What are they doing?

George Glass

Yeah, I would say on the whole it's for financial gain. I think there is also a certain amount of kudos within the community as well that they would be more than happy to sort of show off that they're performing these attacks successfully. But I think on the whole, especially in more recent months, it's for financial gain first and foremost.

Dave Bittner

Well, as your research points out, it seems as though scattered spider targets one industry at a time. Why do you suppose they would adopt this kind of focused approach?

George Glass

It's a very interesting question. It's hard to say. I would imagine it's because many of the industries they target in clusters work the same way. They tend to share third party suppliers also and they tend to have an affiliation with each other, which maybe means that they can get some lateral movement from attacking one organization, they can potentially move into another. But it is hard to say for certain. And I would say a lot of that is probably driven by events in the news, quarterly reporting and things like that, and access that they may be able to buy or provision to each other to then further attack an organization, deploy ransomware, and so on and so forth.

Dave Bittner

Well, your research focuses specifically on the insurance industry. Can you take us through how they approach that industry and what you discovered?

George Glass

Yes, from what we can tell, the modus operandi hasn't really changed too much from the attacks that we saw on the UK retail sector. So that is essentially socially engineering a help desk person to reset a password change, an MFA method, something like that. Typically that would take three or four social engineering course to conduct. You know, the first one may be what do I need to reset my password? How do I reset it? I'm a new joiner, how do I do that? Oh, you need this bit of information or X bit of information, Y bit of information. Okay, thank you very much hang up the call. On the next call, they will be able to solicit that information from the help desk employee. And then on the third or fourth or maybe even the fifth call, they'll be able to use that to gain access to that particular user account. Then from there it would take the course of any typical business email compromise, quickly looking for relevant information, things like information on VPNs, remote login protocols, things like that, that they can then use to further their attack.

Dave Bittner

And once they have that information, is it ransomware, is it double extortion? What do they do?

George Glass

I think first and foremost their goal would be to exfiltrate as much information as possible. We've seen them be able to pivot in an environment incredibly quickly, start downloading things from SharePoint files, from S3 buckets and things like that, if they get into a cloud environment. And then from there, once they've exfiltrated as much data as they can, they may move to deploying ransomware. But because these are identity based attacks, they're not deploying malware immediately. What we see is it's deployed as a coup de grace just before the encryption happens and the ransomware deployment happens. The rest of the time they're just leveraging the access that they've already managed to get and blend in with the environment as much as possible using RMM tools like AnyDesk and Connectwise and so on and so forth.

Dave Bittner

How do they compare to some of the other threat groups that you track in terms of their sophistication?

George Glass

That's a really good question. I think because the group is so widespread, it's hard to give them a sort of a sophistication score. I don't think they're going to be developing their own malware to use as part of these attacks. I think they would be in that consumer grade sector of malware. But nevertheless, they've shown huge amounts of proficiency in targeting SaaS environments and cloud environments especially. And as I said, they're very quick to move. They know what they're after as soon as gaining access. I think they're very well aware of defensive capabilities as well, and how quickly a SOC team would be able to detect some of this activity. So they move very, very quickly and they move straight to their actions and objectives, especially as it comes to exfiltration. And then, like I said, maybe then there's a handoff to an operator that is more comfortable deploying ransomware.

Dave Bittner

We'll be right back. Hey everybody. Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your DeleteMe plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. Did you know Active Directory is targeted in 9 out of 10 cyber attacks? Once attackers get in, they can take control of your entire network. That's why Cempras created Purple Knight, the free security assessment tool that scans your Active directory for hundreds of vulnerabilities and shows you how to fix them. Join thousands of IT pros using Purple Knight to stay ahead of threats. Download it now at sempras.com purple-knight that's sempress.com purple knight what do we know about the group themselves? I mean, I, I've seen that they refer to themselves as a cartel. What, what does this mean in the cybercrime context?

George Glass

So I think really that their affiliation with each other is, is fairly broad. As I say, they're part of this community called the Combination. And especially when they're using Dragon Force. That's following a cartel model where it's a group of groups, if you will, that have sort of aligned to work together, share TTPs, share malware and so on and so forth. The idea that there's a collection of individuals that are consistently conducting these attacks, I think is maybe not stated quite accurately. There's probably hundreds of people in this group. Many of them are sort of chancing it again and again, but with sort of significant amounts of learning as they go. The group is sort of well known to be English speaking and certainly in the cases that we've worked, they speak English well. I wouldn't say that they were native English speakers, but of course there's been some arrests with attributed to the Scatter Spider group. That are British nationals, US Nationals, Canadian nationals. So I think that just goes to sort of underline the fact that there's a very widespread group of individuals, many of them young men, and they have a fairly wide range of capabilities.

Dave Bittner

You mentioned that you wouldn't expect to see them developing their own tools. What sort of tools are they using?

George Glass

On the whole they're using commodity malware when they do need to use malware. So that would be things like information stealing malware like Loomis dealer or Steelsea. But mostly they're living off the land using things like PowerShell if they do need to touch an endpoint and using commercial remote access Tools, things like AnyDesk, ConnectWise, Screen Connect. All of those tools actually allow them to evade detection a lot easier because they would understand what tools are any deployed in the environment and they would know what would look abnormal and what would look potentially normal to a defender. So on the whole they leverage the tools that are already there and they would leverage the identity that they have access to to Target Cloud and SaaS environments very, very quickly. You know, pilfering things from Slack messages, email inboxes and as I mentioned before, S three buckets and so on.

Dave Bittner

Your research focuses on the insurance industry and we've seen recent reports that perhaps Scattered Spider is now targeting the airlines. I'm curious, based on the information you gathered and the insights that you have looking at their focus on the insurance industry, what would your recommendations be for other industries if they find themselves the focus of Scattered Spider's efforts?

George Glass

So there's a few recommendations that I think are more to do with hardening an environment. First, namely first of all that's going to be talking to your help desk staff. I want to be really clear. A lot of the time help desk staff are just trying to be helpful, but there's policy to be followed and monitoring that that policy is kept to and adhered to is very, very important because that's typically the first way that scatterspy would try to gain initial access. That training also follows for general users. The group has a wide array of techniques that they can use to change a multi factor method or phish someone for credentials. So again, training employees to be aware of what those signs of ATT and CK look like so that they can be reported. And then thirdly, being able to detect that activity as well. Things like identifying token theft, identifying when someone has clicked a phishing link and has potentially submitted their credentials and things like that, those would definitely be the places that I would start.

Dave Bittner

You mentioned that we've seen Scattered Spider attract the attention of law enforcement. There have been some arrests. Do we suspect that this is going to have an effect on their overall operations here, or is it the kind of group that seems to be able to evolve and continue operating?

George Glass

In our research, I don't think that we've identified sort of kingpins or direct leaders, but there are certainly what are referred to in the community as olders that have a lot of knowledge, they're very skilled, and they would sort of proliferate that knowledge to the rest of the teams. I think any law enforcement action against this group is welcome, and I hope that more of them can be brought to justice. It's just a case of being able to identify when one of these individuals makes an operational security mistake or indeed in a country that can lead to extradition or arrest.

Dave Bittner

Yeah. It's interesting to me how you describe them as being kind of diffuse. It's a lot of people with loose affiliations.

George Glass

Yes, sir. Yeah, absolutely. I think CrowdStrike did a good job on the naming there. The scattered in Scattered Spider, I think, refers to that. It's an interesting sort of additional movement like Anonymous was back in the day. You know, it's easy to say that you're part of Anonymous because it's anonymous group of individuals. I think that the community in Scatter spider is more closely knit than that, but certainly not as tight as other threat groups that we would track, which have very consistent ttps. And, you know, you can do attribution to a certain individual. A lot of the time that's not always possible with Scattered Spider. And I think a lot of the reporting is mostly being attributed to the ttps that are being observed rather than individuals that they know are behind the attacks.

Dave Bittner

Our thanks to George Glass, associate managing director of Kroll's Cyber Risk Business, for joining us. The research is about Scattered Spider and their targeting of insurance companies. We'll have a link in the show notes. That is Research Saturday, brought to you by N2K Cyberwire. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There's a link in the show Notes. Please do check it out. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I, Dave Bittner. Thanks for listening. We'll see you back here next time.

Kim Jones

Hi. Kim Jones here on CISO Perspectives, we get candid with the thinkers, doers and trailblazers shaping cybersecurity leadership. No scripts, no sales pitches, just real stories and hard earned lessons from folks who've been there. If you're looking to grow as a leader or just want to hear how others are navigating this ever evolving field, listen to CISO Perspectives. It's your seat at the table.

Dave Bittner

Buying more tools won't make you more secure. Continually training your people will. In this episode, Cloud Range co founder and CEO Debbie Gordon shares how real world simulations are transforming readiness in 2025. Because your last line of defense isn't software, it's your team. Tune in now. Your stack depends on it.