HC3 alerts providers of Scattered Spider threat
Image: Andrew Neel/Pexels
The Health Sector Cybersecurity Coordination Center has published a sector alert to advise on mitigations to defend against U.S. and UK-based threat actors that initially targeted customer relationship management, business process outsourcing and technology companies in 2022 – and have since shifted to gaming, hospitality, retail, manufacturing and financial sectors.
Scattered Spider, also known by other names, such as Octo Tempest, has become known for its advanced social engineering techniques, including voice phishing and leveraging artificial intelligence to spoof victims’ voices and SIM swapping to obtain initial access to targeted organizations.
WHY IT MATTERS
According to a revised threat actor profile released by the Healthcare HC3 on October 24, Scattered Spider operatives engage in data extortion and evade detection by often living off the land and modifying their tactics, techniques and procedures to evade detection. These threat actors have leveraged various remote monitoring and management tools, used multiple information stealers and then deployed various ransomware to victim environments chiefly for financial gain.
The agency links to specific mitigation and control measures that it said health systems should familiarize themselves with now. These include mitigations global financial institutions have implemented in response to Scattered Spider activities compiled by the Financial Services Information Sharing and Analysis Center, joint recommendations the Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency offered last year and more.
Updated information from the previous CISA advisory in HC3's new alert of the group's arsenal lists 23 legitimate tools – like AnyDesk, ConnectWise Controller, LogMeIn, Teamviewer and others – and a dozen malware varieties Scattered Spider operatives might use when they are ready to deploy malware.
"They later employ malicious tools like Mimikatz and secret dump to escalate privileges," HC3 said about one of many recent campaigns discussed in the alert.
Scattered Spider threat actors seek to move laterally through victim networks to "disable security and recovery services, exfiltrate data and conduct ransomware operations," so detection and suppression controls to monitor for cloned login portals are essential.
FS-ISAC recommended engaging in or building a "brand protection service that monitors in real-time for domain registrations impersonating your brand."
HC3 also noted that the threat actors are believed to be primarily aged 19-22. Arrested members have hailed from U.S. locations like Kentucky and Florida to the West Midlands in England and Dundee, Scotland in the United Kingdom, according to the alert.
THE LARGER TREND
Infostealer infections precede ransomware events for many North American and European ransomware victim companies, according to SpyCloud, a cybercrime analytics firm, which also reported in March that 61% of last year's data breaches, involving more than 343 million stolen credentials, were infostealer malware-related.
In April, HC3 alerted the sector about mitigations to defend against spearphishing voice scams leveraging employee voice impersonation hitting health system help desks to ultimately steal providers' electronic funds transfers.
Spearphishing voice techniques used to manipulate an admin into providing access to systems through a phone call or other voice communications involve social engineering to pose as a trusted source and artificial intelligence to improve the quality of the exploits.
"It is important to note that threat actors may also attempt to leverage AI voice impersonation techniques to social engineer targets, making remote identity verification increasingly difficult with these technological advancements," HC3 said.
HC3 also noted in the alert that Scattered Spider – also known as UNC3944 – hit the hospitality and entertainment sector last year with a spearphishing voice scam before deploying ALPHV/BlackCat ransomware.
In December, the U.S. Department of Justice claimed to have seized the ransomware gang's infrastructure, but then Blackcat claimed in February to have exfiltrated 6T bytes of Change Healthcare data in the seismic attack that disrupted healthcare operations nationwide.
ON THE RECORD
"During campaigns, Scattered Spider has leveraged targeted socialengineering techniques, attempted to bypass popular endpoint security tools, and has deployed ransomware for financial gain," HC3 said.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.