Cyber Threat Report: 'Scattered Spider Advisory AA23-320A'

Report Author	CISA
Publication Date	2023-11-16
Original Reporting	Source
Related Intrusion Sets	Scattered Spider
Victim Sectors	Leisure and Hospitality

This advisory from CISA outlines tactics, techniques and procedures used by the Scattered Spider threat actors, as observed by the FBI up until November 2023. The report describes Scattered Spider as a cybercriminal group which targets large companies and their contracted IT help desk and may ultimately steal data and deploy ransomware to extort the victim. The report also outlines mitigations which organizations can employ to reduce the likelihood and impact of an attack by the group.

Cyber Threat Graph Context

Explore how this report relates to the wider threat graph

Mitigations to defend against the techniques in this report

Identified MITRE ATT&CK Techniques

ATT&CK ID	Title	Associated Tactics
T1567.002	Exfiltration to Cloud Storage	Exfiltration
T1486	Data Encrypted for Impact	Impact
T1219	Remote Access Software	Command and Control
T1530	Data from Cloud Storage	Collection
T1114	Email Collection	Collection
T1074	Data Staged	Collection
T1213.002	Sharepoint	Collection
T1213.003	Code Repositories	Collection
T1021.007	Cloud Services	Lateral Movement
T1539	Steal Web Session Cookie	Credential Access
T1018	Remote System Discovery	Discovery
T1083	File and Directory Discovery	Discovery
T1538	Cloud Service Dashboard	Discovery
T1217	Browser Information Discovery	Discovery
T1552.004	Private Keys	Credential Access
T1552.001	Credentials In Files	Credential Access
T1621	Multi-Factor Authentication Request Generation	Credential Access
T1606	Forge Web Credentials	Credential Access
T1578.002	Create Cloud Instance	Defense Evasion
T1484.002	Domain Trust Modification	Defense Evasion, Privilege Escalation
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1556.006	Multi-Factor Authentication	Credential Access, Defense Evasion, Persistence
T1136	Create Account	Persistence
T1204	User Execution	Execution
T1648	Serverless Execution	Execution
T1078.002	Domain Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1199	Trusted Relationship	Initial Access
T1566	Phishing	Initial Access
T1585.001	Social Media Accounts	Resource Development
T1583.001	Domains	Resource Development
T1598	Phishing for Information	Reconnaissance
T1589	Gather Victim Identity Information	Reconnaissance

Cyber Threat Report: 'Scattered Spider Advisory AA23-320A'

Cyber Threat Graph Context

Mitigations to defend against the techniques in this report

Restrict Web-Based Content

Behavior Prevention on Endpoint

Data Backup

Network Intrusion Prevention

Filter Network Traffic

Execution Prevention

Encrypt Sensitive Information

User Account Management

Audit

Multi-factor Authentication

Restrict File and Directory Permissions

User Training

Privileged Account Management

Software Configuration

Password Policies

Account Use Policies

Application Developer Guidance

Active Directory Configuration

Network Segmentation

Operating System Configuration

Antivirus/Antimalware

Pre-compromise

Identified MITRE ATT&CK Techniques