Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider.
The individual, a 22-year-old man from the United Kingdom, was arrested this week in the Spanish city of Palma de Mallorca as he attempted to board a flight to Italy. The move is said to be a joint effort between the U.S. Federal Bureau of Investigation (FBI) and the Spanish Police.
News of the arrest was first reported by Murcia Today on June 14, 2024, with vx-underground subsequently revealing that the apprehended party is “associated with several other high profile ransomware attacks performed by Scattered Spider.”
The malware research group further said the individual was a SIM swapper who operated under the alias “Tyler.” SIM-swapping attacks work by calling the telecom carrier to transfer a target’s phone number to a SIM under their control with the goal of intercepting their messages, including one-time passwords (OTPs), and taking control of their online accounts.
According to security journalist Brian Krebs, Tyler is believed to be a 22-year-old from Scotland named Tyler Buchanan, who goes by the name “tylerb” on Telegram channels related to SIM-swapping.
Tyler is the second member of the Scattered Spider group to be arrested after Noah Michael Urban, who was charged by the U.S. Justice Department earlier this February with wire fraud and aggravated identity theft for offenses.
Scattered Spider, which also overlaps with activity tracked the monikers 0ktapus, Octo Tempest, and UNC3944, is a financially motivated threat group that’s infamous for orchestrating sophisticated social engineering attacks to gain initial access to organizations. Members of the group are suspected to be part of a bigger cybercriminal gang called The Com.
Initially focused on credential harvesting and SIM swapping, the group has since adapted their tradecraft to focus on ransomware and data theft extortion, before shifting to encryptionless extortion attacks that aim to steal data from software-as-a-service (SaaS) applications.
“Evidence also suggests UNC3944 has occasionally resorted to fear-mongering tactics to gain access to victim credentials,” Google-owned Mandiant said. “These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.”
Mandiant told The Hacker News the activity associated with UNC3944 exhibits some level of similarities with another cluster tracked by Palo Alto Networks Unit 42 as Muddled Libra, which has also been observed targeting SaaS applications to exfiltrate sensitive data. It, however, emphasized that they “should not be considered the ‘same.'”
The names 0ktapus and Muddled Libra come from the threat actor’s use of a phishing kit that’s designed to steal Okta sign-in credentials and has since been put to use by several other hacking groups.
“UNC3944 has also leveraged Okta permissions abuse techniques through the self-assignment of a compromised account to every application in an Okta instance to expand the scope of intrusion beyond on-premises infrastructure to Cloud and SaaS applications,” Mandiant noted.
“With this privilege escalation, the threat actor could not only abuse applications that leverage Okta for single sign-on (SSO), but also conduct internal reconnaissance through use of the Okta web portal by visually observing what application tiles were available after these role assignments.”
Attack chains are characterized by the use of legitimate cloud synchronization utilities like Airbyte and Fivetran to export the data to attacker-controlled cloud storage buckets, alongside taking steps to conduct extensive reconnaissance, set up persistence through the creation of new virtual machines, and impair defenses.
Additionally, Scattered Spider has been observed making use of endpoint detection and response (EDR) solutions to run commands such as whoami and quser in order to test access to the environment.
“UNC3944 continued to access Azure, CyberArk, Salesforce, and Workday and within each of these applications conducted further reconnaissance,” the threat intelligence firm said. “Specifically for CyberArk, Mandiant has observed the download and use of the PowerShell module psPAS specifically to programmatically interact with an organization’s CyberArk instance.”
The targeting of the CyberArk Privileged Access Security (PAS) solution has also been a pattern observed in RansomHub ransomware attacks, raising the possibility that at least one member of Scattered Spider may have turned into an affiliate for the nascent ransomware-as-a-service (RaaS) operation, according to GuidePoint Security.
The evolution of the threat actor’s tactics further coincides with its active targeting of finance and insurance industries using convincing lookalike domains and login pages for credential theft.
The FBI told Reuters last month that it’s laying the groundwork to charge hackers from the group that has been linked to attacks targeting over 100 organizations since its emergence in May 2022.