CISA, FBI Issue New Warning Following Las Vegas Cyberattack

The FBI and U.S. Cybersecurity and Infrastructure Security Agency are urging critical infrastructure organizations to implement mitigation techniques to thwart a cybercriminal group known as Scattered Spider that targets major companies and their IT help desks.

See Also: OnDemand | Ransomware in the Cloud: Challenges and Security Best Practices

A joint advisory describes the hacking group, also known as Octo Tempest and UNC3944, as having expertise in social engineering that uses phishing, push bombing and other techniques to gain unauthorized access into the networks of commercial facilities that provide retail, entertainment and lodging services to the public (see: Meet Octo Tempest, ‘Most Dangerous Financial’ Hackers).

Scattered Spider hackers are unique among cybercriminal organizations as the group appears to consist of native English speakers and lacks a clear public internet presence, unlike many of its Russian and former Soviet counterparts.

During a Thursday phone call with reporters, senior CISA and FBI officials linked the hacking group to a major cyberattack in September that targeted MGM Resorts International and incapacitated operations across several popular Las Vegas casinos and hotels.

The advisory says Scattered Spider hackers have posed as company IT and help desk staff and used phone calls or text messages to obtain employee credentials and gain unauthorized access to their networks. The group monetizes access to victim networks through extortion, ransomware and other data theft operations.

The FBI and CISA recommend that organizations implement enhanced application controls and conduct audits of their remote access tools, in addition to reviewing logs for execution of remote access software to detect anomalies. The recommendations also include requiring authorized remote access solutions to only be used within networks over approved solutions, such as virtual private networks, as well as using security software to detect additional anomalies and potential misuse.

A senior FBI official confirmed that there have been additional Scattered Spider victims across the commercial facilities and subsectors space – one of 16 designated critical infrastructure sectors in the U.S. – since the Las Vegas cyberattack. They declined to provide additional information about those victims, citing ongoing investigations.