At a glance.
- CISA and FBI warn of Scattered Spider.
- Phobos ransomware: an affiliate crimeware-as-a-service program.
- A "hack-for-hire" contractor.
- “Scama” in the C2C market.
- The tempo of cyber operations in Russia's hybrid war.
CISA and FBI warn of Scattered Spider.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint Cybersecurity Advisory outlining the activities of the Scattered Spider cybercriminal gang: “Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) engages in data extortion and several other criminal activities. Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).” The threat actor targets large companies, and has “been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.”
The joint advisory represents a call for information sharing as much as it does a warning against the activities of this particular threat group. Scattered Spider has taken an unusual interest in its victims' internal corporate communication channels like Slack, Microsoft Teams, and Microsoft Exchange. They do so in order to monitor for signs that their activity has been detected or suspected, and the group has also shown a propensity to attempt to join conversations about remediation efforts.
The FBI, Reuters reported earlier this week, has for several months known the identities of about a dozen members of Scattered Spider, and some observers have wondered why the Bureau hasn't been more aggressive in making arrests. The FBI bridled at the criticism, CyberScoop reports, saying in a media call about the advisory, “Just because you don’t see actions being taken, it doesn’t mean there aren’t actions being taken." So absence of evidence isn't evidence of absence.
Phobos ransomware: an affiliate crimeware-as-a-service program.
Cisco Talos has published a study of the Phobos ransomware affiliate program, alongside an analysis of the ransomware itself. The researchers found five commonly used Phobos variants: Eking, Eight, Elbie, Devos and Faust. They are, for the most part, distributed to targets through the SmokeLoader backdoor Trojan.
The researchers explained why Phobos seems to be a criminal affiliate program. “There is some indication that Phobos may be a RaaS, due to the variation in email addresses we observed. Each Phobos variant from VirusTotal was associated with at least a dozen emails that were provided to victims to maintain contact, and some had close to 200 unique email addresses with various domains. In some instances, ICQ and Jabber were used as the main contact address. While it’s possible that there is a single group behind Phobos, it would be uncommon to have a threat actor change their contact email address so often....We also assess that Phobos is likely closely managed by a central authority that controls the ransomware’s private decryptor key.”