CyberWire Daily - Spinning the web of tangled tactics. [Research Saturday]
Episode Date: August 3, 2024This week, we are joined by Jason Baker, Senior Threat Consultant at GuidePoint Security, and he is discussing their work on "Worldwide Web: An Analysis of Tactics and Techniques Attributed to Scatter...ed Spider." In early 2024, a current RansomHub RaaS affiliate was identified as a former Alphv/Black Cat affiliate and is believed to be linked to the Scattered Spider group, known for using overlapping tools, tactics, and victims. The high-confidence assessment by GuidePoint’s DFIR and GRIT teams is supported by the consistent use of tools like ngrok and Tailscale, social engineering tactics, and systematic playbooks in intrusions. The research can be found here: Worldwide Web: An Analysis of Tactics and Techniques Attributed to Scattered Spider Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So this came to the attention of a couple of our colleagues on our incident response team and
myself following an IR investigation that we were supporting. It was an attempted ransomware incident.
And in the process there, we uncovered a couple of artifacts
that appeared to have been inadvertently left behind by the threat actor.
And from there, we pivoted and we discovered some additional infrastructure
that was unrelated to that incident,
but which we had really high confidence was attributed to the same actor.
That's Jason Baker, Senior Th senior threat consultant at GuidePoint Security.
The research we're discussing today is titled World Wide Web,
an analysis of tactics and techniques attributed to Scattered Spider.
What we were able to do from there was sort of unpack a laundry list of behavior and tools that the actor was using.
We compared it at the time to a thief leaving their wallet behind at the crime scene, for lack of a better way of putting it.
And that's what we attempted to sort of unpack and digest and take a look at as part of this blog and this investigation.
Well, I mean, it's quite a story here. Can we walk through it together? Why don't we start at
the beginning here? As you said, you all are working on an IR job here. What did you find
left behind? So I have to be a little bit careful just because the resources that we found were a
little bit sensitive. And some of the
pieces we were able to, you know, pass on as needed to law enforcement. But what we wanted to avoid
doing in this blog and in our discussions was burning a resource, right? For any intelligence
source, you want to preserve those sources and methods. But to give sort of a high-level overview,
it was essentially the equivalent of a to-do list, right?
Here's ways that we can get over potential roadblocks that an attacker would be referencing throughout the course of an intrusion.
So you refer to this group RansomHub, this ransomware as a service group,
and believe with high confidence that they were formerly an Alfie Black Cat
affiliate.
There's quite a few names scattered throughout here.
Can you take us through that element of it?
Absolutely.
Absolutely.
So Ransom Hub really first appeared on everybody's radar in February.
And most of the time when you first see a ransomware group
or a ransomware as a service group,
they tend to start off pretty slowly.
They're still getting their footing.
They're attracting new affiliates
and sort of making a name for themselves,
perfecting their TTPs,
getting more effective as they go along.
But Ransomhub is notable
because they haven't taken that approach.
They've taken off very quickly in a way that's pretty immediately anomalous.
Even just a couple of days ago, they dumped something like 100 plus victims on their data leak site.
It's an extremely anomalous kind of behavior.
Now, RansomHub is also notable because we called this out in one of our earlier blogs and reports, because they were actively recruiting on a number of illicit forums,
of underground forums, for new affiliates.
And the language that they were using,
it was pretty clear that either implicitly or explicitly,
they were targeting affiliates that were impacted by recent disruptions to Alpha and to LockBit.
If you were to look at kind of the hierarchy of different ransomware as a service groups,
LockBit and Alpha have been there up at the top
for a very long time.
So these recent disruptive operations
for Operation Kronos for LockBit
and the sort of exit scamming by Alpha,
that's going to impact a lot of very high level,
highly skilled and experienced affiliates.
And RansomHub, by the looks of it, was really trying to bring those people into the fold,
people who had to go somewhere else.
And that's what we think is, that's what we assess is going on here with their pretty rapid rise to prevalence.
So to tie it back into the other names here, so Alpha, as I mentioned,
has long been or was one of the most prolific ransomware as a service groups. And they were
also extremely aggressive in employing what we would call escalating coercive tactics or novel
coercive tactics, really naming and shaming victims, trying to attract attention to their attacks as a way to apply additional extortion leverage as part of their operations. And we saw Scattered Spider
start affiliating with them last year, I believe it was, but that really became
visible in the wake of alleged attacks on MGM and Caesars in Las Vegas, which got a lot of news coverage, right?
And that's when scattered spiders started to attract a lot more attention just because
they were such visible and publicly reported attacks.
Now, there are some specific sort of lapses in OPSEC by this particular threat actor that
allowed you and your colleagues there
to get some insights into their TTPs? Would that be an accurate way to describe it?
Yes, I'd say that's a perfect way to encapsulate that. Yes. A lot of the time, threat actors are
decent at covering up their tracks, right? You don't want to burn exactly how you got in somewhere
or what tools you were using because it makes it easier for defenders to plan
and protect against those.
In this case, whether it be by an error
or whether it be by just good defensive measures,
they left a lot more than we would typically be able
to exploit and take advantage of.
One of the tools that you all described
is called Secret Server, Secret Stealer.
Can we dig into some of the particular elements of that tool?
Yes, sure.
So Secret Stealer, or I'm sorry, Secret Server, Secret Stealer
is an open source project.
You can find remnants of it all over GitHub.
And it's specifically used to target an information
and access management tool.
It's been used against D Nikotic and CyberArk.
And what we were able to come across
in the course of our investigation
was not just the use of it,
which this particular tool has been used
by other threat actors,
but the actual way in which they applied
that script via PowerShell.
And that was used essentially for dumping credentials
and gaining additional access for lateral movement
and privilege escalation.
Can we go through some of the techniques
that you all tracked here?
I mean, in the research,
you have a handful of MITRE ATT&CK techniques
that you highlighted.
What were some of the ones that you think are particularly interesting here?
From my perspective, the most interesting ones were where we don't often have insight
because they would have been performed on the adversary side.
So as part of any incident response effort, you're seeing what's happening on the victim side.
That's what you're looking for evidence of.
You're looking for what impact they had
on impacted servers and devices.
And a lot of the time,
that's reflected in the tooling that they already have.
It's harder to see what they're using
to achieve their desired effects on their end.
And one example of that was Romina,
which is an open-source remote desktop client
that is used for different operating systems.
And I don't believe that we've seen a lot of reporting on the use of that by adversaries
simply because it's not something that you can detect.
It's pretty hard to gain insight into the adversary's environment,
both because they attempt to obfuscate it and because it can, in different access methods,
it can be tricky to gain access to that
without kind of towing a line, legally speaking, right?
You can't hack back the attackers
and look at what they did on their end.
Fortunately, their labs in operational security there
gave away that that was one of the scripts
and one of the tools that they were using.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time visibility is critical for security, but when it comes to our GRC programs, we
rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
What were some of the other things that you saw here?
What were some of the other things that you saw here?
I mean, you all talk about some of the scripts that you used,
some things that in your research you talk about Mandiant and ReliaQuest both reporting on scattered spiders targeting of CyberArk,
and then you listed some of the scripts that they were used there.
Anything noteworthy there?
I think that generally what we were seeing,
a lot of it has been reported in past reporting
as associated with this group.
Where we were really able to take advantage of things
was looking at the actual scripts themselves
down to the command line inputs
and how they were deploying them.
We were also able to make the assessment based on how those scripts were recovered.
A lot of this was easily attainable by GitHub and publicly available means.
It's not as customized and exquisite as you might see or expect to see with a very sophisticated threat actor.
A lot of it's kind of by-the-book stuff.
So an example that I like to give is that the Windows registry subkey deletion batch script that we have included in there,
where it goes through and it deletes a number of registry subkeys.
This is a great way to evade defenses, to overcome and to keep operating in
the environment without firing off a lot of alarms.
But the actual script itself is so prevalent out there.
It's in Microsoft Windows troubleshooting forums,
and just a number of just openly available forums for people
trying to get around issues that they were
having in their organizational settings.
Being able to take and repurpose tools from GitHub, openly available resources, forums, and the like, and to use them essentially for evil is really, I think, unique in that we tend to view sophisticated actors as building these bespoke tools
and using really advanced, complicated techniques,
when in a lot of cases, that's just not what they're doing.
It's the minimum viable product
for generating effects on the victim environment.
Yeah, it's an interesting insight.
I mean, it kind of reminds me of the classic
man behind the curtain type of thing
where there's a certain amount of swagger
and maybe even bluster about the sophistication
of a group like this.
But when folks like you and your colleagues there
get an actual look behind that screen,
it's not as complex or sophisticated
as perhaps they want you to believe.
Yeah, I think that that's completely fair.
We elevate really successful threat actors because it's easy to view them as overcoming all of these defenses in place. But often all it takes is one
hole in the armor of pretty basic defensive best practices for them to establish a foothold. And
that's why I think defenders across the enterprise and consulting and vendors always stress those fundamentals because some of these tools in here should be firing off alerts, should be prevented by basic defensive practices. But unfortunately, in all cases, that's not always what's happening.
in all cases, that's not always what's happening.
Well, based on the information that you've gathered here,
what are your recommendations for people to best protect themselves?
I think generally, one of the things that we notice in our reporting and that you'll see pretty frequently is the use of PowerShell,
the use of Python, the use of batch scripts in order to achieve effects.
And this is good from an adversary perspective
because you don't need to haul around a bunch of very loud malware with you.
You don't need to transfer over a ton of tools in order to have the desired effect.
But the thing is, for most workers in most victim environments,
the need for these tools is not there.
Somebody working in accounting doesn't need PowerShell.
Somebody working in finance does not need to be able to download software, install it, and execute from there.
They don't need to have these permissions, but they're often enabled by default. I think that alerting on, monitoring, or outright blocking
some of these capabilities is a great way to stop
a lot of the tool usage and execution that takes place
in the earlier stages of the kill chain.
What's your sense with the Ransom Hub group?
I mean, having gone through this research,
is your sense that there's still an up-and-coming group?
You know, it sounds to me like you're less impressed with them than perhaps you were at the outset.
But that doesn't mean, you know, with hard work and dedication that they can continue along the path that they seem to be set on here.
Sure. Well, without painting the picture of the great American success story,
right, try hard enough and you can start up your own cybercrime. Right. No, I think most likely
what we're seeing and what we assess is happening with RansomHub is the central problem of ransomware
as a service in general, which is that arrests and law enforcement disruption operations, while great and impactful to the core groups, they don't get rid of the underlying affiliates that make the operations happen.
And so with RansomHub following the disruption of Alpha and following the disruption of LockBit, I think what we're seeing is just experienced affiliates moving on to their next opportunity.
And RansomHub has certainly opened the doors for that.
And I think that that's at least partially explainable
for why we've seen such a rapid uptick in their operations
over the last couple of months.
Right. I mean, there's that opportunity there
that there's a void ready to be filled.
Absolutely. And the other bit with affiliates is,
you know, we can't say this is the only place
that affiliates are going
or the only place that
Scattered Spider affiliates are going.
It's sort of the nature of the beast
that they can come and go
as they please to other groups.
So over the next couple of months
in the near term to the midterm,
I'd say we're more likely to see
continued operational
presence and prolific operations from Ransom Hub, but we're probably also going to see upticks in a
couple of other groups that may have performed at a slower operational tempo in the past,
whether that be existing competing ransomware as a service groups or other newly emerging groups
that are picking up their tempo a lot
faster than we would normally expect.
Because an affiliate can go to an existing group, they can spin off and form their own
group.
There's any other number of ways in which they could continue their careers as cyber
criminals.
Yeah.
My sense is that we're seeing more cross-pollination of these threat actors.
we're seeing more cross-pollination of these threat actors. And when I read your research that,
as you say, someone gets shut down and some of the operators who don't get caught up in law enforcement kind of get scattered to the wind and then cross-pollinated with either new startups or
other existing groups or those sorts of things. Do you think that's an accurate perception?
Is there anything to that?
Yes, absolutely.
I'd say the biggest way that we see that,
that comes to mind, is in vulnerability exploitation.
Exploitation of vulnerabilities for initial access
or any other stage of the kill chain
used to be considered sort of a niche thing.
We associated it with CLOP,
where they specialize in taking advantage
of managed
file transfer applications, for example, to gain initial access and smash and grab. But over the
last year, what we've seen a lot of is the exploitation of a new vulnerability start to
slowly spread over time, especially once a proof of concept exploit or readily available scripts become available, their exploitation takes off exponentially.
And it continues on even past sort of that immediate window
where folks are still patching because there's still targets to hit
that still have vulnerable software.
So Lockbit in particular has picked up in their exploitation of vulnerabilities.
I think we're going to continue to see that willingness to reach out,
grab publicly available POC exploits,
and rapidly adapt them to ransomware operations.
I think we're going to be seeing more of that in the near term,
especially so long as it works, right? Our thanks to Jason Baker from GuidePoint Security for joining us.
The research is titled World Wide Web, an analysis of tactics and techniques attributed to scattered spider.
We'll have a link in the show notes.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives
and their families at home? Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Black Cloak. Learn more at blackcloak.io. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite
podcast app. Please also fill out the survey in the show notes or send an email to cyberwire
at n2k.com. We're privileged that
N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the
public and private sector from the Fortune 500 to many of the world's preeminent intelligence and
law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment,
your people. We make you smarter about your teams while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karpf.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.