This week, we are joined by Jason Baker, Senior Threat Consultant at GuidePoint Security, and he is discussing their work on "Worldwide Web: An Analysis of Tactics and Techniques Attributed to Scattered Spider." In early 2024, a current RansomHub RaaS affiliate was identified as a former Alphv/Black Cat affiliate and is believed to be linked to the Scattered Spider group, known for using overlapping tools, tactics, and victims.
The high-confidence assessment by GuidePoint’s DFIR and GRIT teams is supported by the consistent use of tools like ngrok and Tailscale, social engineering tactics, and systematic playbooks in intrusions.
The research can be found here:
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. Hello, everyone, and welcome to the Cyberwire's Research Saturday. I'm Dave Bitner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. So this came to the attention of a couple of our colleagues on our incident response team and myself following an IR investigation that we were supporting. It was an attempt at ransomware incident, and in the process there, we uncovered a couple of artifacts that appeared to have been inadvertently left behind by the threat actor. And from there, we pivoted and we discovered some additional infrastructure that was unrelated to that incident, but which we had really high confidence was attributed to the same actor. That's Jason Baker, senior threat consultant at GuidePoint Security. The research we're discussing today is titled "World Wide Web," an analysis of tactics and techniques attributed to scattered spider. What we were able to do from there was sort of unpack a laundry list of behavior and tools that the actor was using. We compared it at the time to a thief leaving their wallet behind at the crime scene for lack of a better way of putting it. And that's what we attempted to sort of unpack and digest and take a look at as part of this blog and this investigation. Well, I mean, it's quite a story here. Can we walk through it together? Why don't we start at the beginning here? As you said, you all are working on an IR job here. What did you find left behind? So I have to be a little bit careful just because the resources that we found were a little bit sensitive and some of the pieces we were able to pass on as needed to law enforcement. But what we wanted to avoid doing in this blog and in our discussions was burning a resource, right? For any intelligent source, you want to preserve those sources and methods. But to give sort of a high-level overview, it was essentially the equivalent of a to-do list of ways that we can get over potential roadblocks that an attacker would be referencing throughout the course of an intrusion. So you refer to this group Ransom Hub. This Ransomware is a service group and believe with high confidence that they were formerly in an Alfie Blackcat affiliate. There's quite a few names scattered throughout here. Can you take us through that element of it? Absolutely. Absolutely. So Ransom Hub really first appeared on everybody's radar in February. And most of the time, when you first see a Ransomware group or a Ransomware as a service group, they tend to start off pretty slowly. They're still getting their footing, they're attracting new affiliates and sort of making a name for themselves, perfecting their TTPs, getting more effective as they go along. Ransom Hub is notable because they haven't taken that approach. They've taken off very quickly in a way that's pretty immediately anomalous. Even just a couple of days ago, they dumped something like 100 plus victims on their data leak site. It's an extremely anomalous kind of behavior. Now Ransom Hub is also notable because we called this out in one of our earlier blogs and reports because they were actively recruiting on a number of illicit forms of underground forums for new affiliates. And the language that they were using, it was pretty clear that either implicitly or repeatedly, they were targeting affiliates that were impacted by recent disruptions to Alpha and to Lockbit. If you were to look at kind of the hierarchy of different Ransomware as a service groups, Lockbit and Alpha have been there up at the top for a very long time. So these recent disruptive operations for Operation Chronos for Lockbit and the sort of exit scamming by Alpha, that's going to impact a lot of very high level, highly skilled and experienced affiliates. And Ransom Hub by the looks of it was really trying to bring those people into the fold. People who had to go somewhere else. And that's what we assess is going on here with their pretty rapid rise to prevalence. So to tie it back into the other names here, so Alpha was, as I mentioned, has long been or was one of the most prolific Ransomware as a service groups. They were also extremely aggressive in employing what we would call escalating coercive tactics or novel coercive tactics, really naming and shaming victims, trying to attract attention to their attacks as a way to apply additional extortion leverage as part of their operations. And we saw scattered spider start affiliating with them last year, I believe it was, but that really became visible in the wake of alleged attacks on MGM and Caesars in Las Vegas, which got a lot of news coverage, right? And that's when scattered spider started to attract a lot more attention, just because they were such visible and publicly reported attacks. Now there are some specific sort of lapses in OPSEC by this particular threat actor that allowed you and your colleagues there to get some insights into their TTPs. Would that be an accurate way to describe it? Yes, I'd say that's a perfect way to encapsulate that, yes. A lot of the time threat actors are decent at covering up their tracks, right? You don't want to burn exactly how you got in somewhere or what tools you were using, because it makes it easier for defenders to plan and protect against those. In this case, whether it be by an error or whether it be by just good defensive measures, they left a lot more than we would typically be able to exploit and take advantage of. One of the tools that you all described is called Secret Server Secret Stealer. Can we dig into some of the particular elements of that tool? Yes, sure. So Secret Stealer, I'm sorry, Secret Server Secret Stealer is an open source project. You can find remnants of it all over GitHub, and it's specifically used to target an information and access management tool. It's been used against psychotic and cyber arc. What we were able to come across in the course of our investigation was not just the use of it, which this particular tool has been used by other threat actors, but the actual way in which they applied that script via PowerShell. That was used essentially for dumping credentials and gaining additional access for lateral movement and privilege escalation. Can we go through some of the techniques that you all tracked here? I mean, in the research, you have a handful of MITRE ATT&CK techniques that you highlighted. What were some of the ones that you think are particularly interesting here? From my perspective, the most interesting ones were where we don't often have insight because they would have been performed on the adversary side. So as part of any incident response effort, you're seeing what's happening on the victim side. That's what you're looking for evidence of. You're looking for what impact they had on impacted servers and devices, and a lot of the time that's reflected in the tooling that they already have. It's harder to see what they're using to achieve their desired effects on their end. One example of that was Ramina, which is an open source remote desktop client that is used for different operating systems. I don't believe that we've seen a lot of reporting on the use of that by adversary simply because it's not something that you can detect. It's pretty hard to gain insight into the adversary's environment, but because they attempt to obfuscate it and because it can, in different access methods, it can be tricky to gain access to that without towing a line, legally speaking. You can't hack back the attackers and look at what they did on their end. Fortunately, their labs and operational security there gave away that that was one of the scripts and one of the tools that they were using. We'll be right back. And now a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed security coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Make users learn from their mistakes and strengthen your organization's security culture with security coach. Learn more at nobefore.com/securitycoach. That's nobefore.com/securitycoach. And we thank no before for sponsoring our show. Are there some of the other things that you saw here? I mean, you all talk about some of the scripts that you used, some things that in your research you talk about Mandiant and ReliaQuest, both reporting on scattered spiders, targeting of cyberarch, and then you listed some of the scripts that they were used there. Any thing noteworthy there? I think that generally what we were seeing, a lot of it has been reported in past reports reporting, as associated with this group, where we were really able to take advantage of things was looking at the actual scripts themselves down to the command line inputs and how they were deploying them. We were also able to make the assessment based on how those scripts were recovered. A lot of this was easily attainable by GitHub and publicly available means. It's less necessary, it's not as customized and exquisite as you might see or expect to see with a very sophisticated threat actor. A lot of it's kind of buy the book stuff. So an example that I like to give is that the Windows Registry subkey deletion batch script that we have included in there, where it goes through and it deletes a number of registry subkeys. This is a great way to evade defenses, right, to overcome and to keep operating in the environment without firing off a lot of alarms. But the actual script itself is so prevalent out there, it's in Microsoft Windows troubleshooting forums and just a number of just openly available forums for people trying to get around issues that they were having in their organizational settings. Being able to take and repurpose tools from GitHub, openly available resources, forums and the like and to use them essentially for evil is really, I think unique in that we tend to view sophisticated actors as building these bespoke tools and using really advanced complicated techniques when in a lot of cases that's just not what they're doing. It's the minimum viable product for generating effects on the victim environment. Yeah, it's an interesting insight, I mean, it kind of reminds me of the classic man behind the curtain type of thing where there's a certain amount of swagger and maybe even bluster about the sophistication of a group like this. But when folks like you and your colleagues there get an actual look behind that screen, it's not as complex or sophisticated as perhaps they want you to believe. Yeah, I think that's completely fair. They elevate really successful threat actors because it's easy to view them as overcoming all of these defenses in place, but often all it takes is one hole in the armor of pretty basic defensive best practices for them to establish a foothold. And that's why I think defenders across the enterprise and consulting and vendors always stress those fundamentals because some of these tools in here should be firing off alerts, should be prevented by basic defensive practices. But unfortunately, in all cases, that's not always what's happening. Well, based on the information that you've gathered here, what are your recommendations for people to best protect themselves? I think generally one of the things that we notice in our reporting and that you'll see pretty frequently is the use of PowerShell, the use of Python, the use of batch scripts in order to achieve effects. And this is good from an adversary perspective because you don't need to haul around a bunch of very loud malware with you. You don't need to transfer over a ton of tools in order to have the desired effect. But the thing is for most workers in most victim environments, the need for these tools is not there. Somebody working and accounting doesn't need PowerShell. The working in finance does not need to be able to download software, install it, and execute from there. They don't need to have these permissions, but they're often enabled by default. I think that alerting on monitoring or outright blocking some of these capabilities is a great way to stop a lot of the tool usage and execution that takes place in the earlier stages of the kill chain. >> What's your sense with the Ransom Hub Group? Having gone through this research, is your sense that there's still an up and coming group? It sounds to me like you're less impressed with them than perhaps you were at the outset, but that doesn't mean with hard work and dedication that they can continue along the path that they seem to be set on here. >> Sure. Well, without painting the picture of the great American success story, right, try hard enough and you can start up your own cyber crime. >> Right. >> No, I think most likely what we're seeing and what we assess is happening with Ransom Hub is the central problem of ransomware as a service in general, which is that arrests and law enforcement disruption operations while great and impactful to the core groups. They don't get rid of the underlying affiliates that make the operations happen. So with Ransom Hub following the disruption of alpha and following the disruption of lockbit, I think what we're seeing is just experienced affiliates moving on to their next opportunity. And Ransom Hub has certainly opened the doors for that, and I think that that's at least partially explainable for why we've seen such a rapid uptick in their operations over the last couple of months. >> Right. So there's that opportunity there that there's a void ready to be filled. >> Mm-hmm. Absolutely. And the other bit with affiliates is we can't say this is the only place that affiliates are going or the only place that scattered spider affiliates are going. It's sort of the nature of the beast that they can come and go as they pleased to other groups. So over the next couple of months in the near term to the mid term, I'd say we're more likely to see continued operational presence and prolific operations from Ransom Hub, but we're probably also going to see upticks in a couple of other groups that may have performed at a slower operational tempo in the past. Whether that be existing, competing ransomware as a service groups, or other newly emerging groups that are picking up their tempo a lot faster than what we would normally expect. Because an affiliate can go to an existing group, they can spin off and form their own group, there's any other number of ways in which they could continue their careers as cyber criminals. >> Yeah. My sense is that we're seeing more cross-pollination of these threat actors. And when I read your research that, you know, as you say, someone gets shut down and some of the operators who don't get caught up in law enforcement kind of get scattered to the wind and then cross-pollinated with either new startups or other existing groups or those sorts of things. Do you think that's an accurate perception? Is there anything to that? >> Yes, absolutely. I'd say the biggest way that we see that that comes to mind is in vulnerability exploitation, right? The exploitation of vulnerabilities for initial access or any other stage of the kill chain used to be considered sort of a niche thing. We associated it with CLOP where they specialize in taking advantage of managed file transfer applications, for example, to cane initial access and smash and grab. But over the last year what we've seen a lot of is the exploitation of a new vulnerability start to slowly spread over time, especially once a proof of concept exploit or readily available scripts become available. Their exploitation takes off exponentially and it continues on even past sort of that immediate window where folks are still patching because they're still targets to hit that still have vulnerable software. So Lockbit in particular has picked up in their exploitation of vulnerabilities. I think we're going to continue to see that willingness to reach out, grab publicly available PSC exploits and rapidly adapt them to ransomware operations. I think we're going to be seeing more of that in the near term, especially so long as it works. Our thanks to Jason Baker from Guide Point Security for joining us. The research is titled World Wide Web, an analysis of tactics and techniques attributed to scattered spider. We'll have a link in the show notes. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. We're mixed by Elliot Pelsman and Trey Hester. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Karpf. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here next time. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at MYS, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, MYS features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. After early and save at MYS.IO/Cyberwire, that's MYS.IO/Cyberwire. [MUSIC]
