HC3 warns providers about Scattered Spider threat

The Health Sector Cybersecurity Coordination Center published a sector alert to advise on measures to defend against US and UK-based threat actors that initially focused on customer relationship management, business process outsourcing and technology companies in 2022 and then moved into gaming, hospitality, retail and manufacturing . and financial sectors.

Scattered Spider, also known by other names such as Octo Tempest, has become known for its advanced social engineering techniques, including voice phishing and the use of artificial intelligence to spoof victims’ voices and SIM swapping to gain initial access to targeted organizations to obtain.

WHY IT’S IMPORTANT

According to a revised profile of the threat actor released by the Healthcare HC3 on October 24, Scattered Spider operatives engage in data extortion and evade detection by often living off the land and adapting their tactics, techniques and procedures to evade detection. These threat actors have leveraged various remote monitoring and management tools, used multiple information stealers, and then deployed various ransomware into victim environments, primarily for financial gain.

The agency is linking specific mitigation and control measures that it says healthcare systems should familiarize themselves with now. These include mitigations that global financial institutions have implemented in response to Scattered Spider activities compiled by the Financial Services Information Sharing and Analysis Center, joint recommendations the Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency offered last year and more.

Updated information from the previous CISA advisory in HC3’s new alert about the group’s arsenal lists 23 legitimate tools – such as AnyDesk, ConnectWise Controller, LogMeIn, Teamviewer and others – and a dozen types of malware that Scattered Spider agents could use when they be ready to deploy malware.

“They later use malicious tools like Mimikatz and secret dump to escalate privileges,” HC3 said of one of several recent campaigns discussed in the alert.

Dispersed Spider threat actors attempt to move laterally through victim networks to “disable security and recovery services, exfiltrate data, and conduct ransomware operations,” so detection and suppression controls to check for cloned login portals are essential.

FS-ISAC recommended deploying or building a “brand protection service that checks in real time for domain registrations that mimic your brand.”

HC3 also noted that the threat actors are believed to be mainly between 19 and 22 years old. Arrested members are said to have come from U.S. locations such as Kentucky and Florida to the West Midlands in England and Dundee, Scotland in the United Kingdom, according to the alert.

THE BIG TREND

Infostealer infections precede ransomware events for many North American and European companies affected by ransomware, according to SpyCloud, a cybercrime analytics firm, which also reported in March that 61% of last year’s data breachesinvolving more than 343 million stolen credentials were related to infostealer malware.

In April, HC3 alerted the industry about measures to defend against spearphishing voice fraud, which used employee voice impersonation, targeting healthcare system helpdesks to ultimately steal providers’ electronic fund transfers.

Spear phishing voice techniques used to manipulate an administrator into granting access to systems via a phone call or other voice communication include social engineering to impersonate a trusted source and artificial intelligence to improve the quality of the exploits.

“It is important to note that threat actors may also attempt to leverage AI voice impersonation techniques for social engineering purposes, making remote identity verification increasingly difficult with these technological advancements,” HC3 said.

HC3 also noted in the alert that Scattered Spider – also known as UNC3944 – hit the hospitality and entertainment sectors last year with a spearphishing voice scam before the ALPHV/BlackCat ransomware was deployed.

In December, the US Department of Justice claimed to have seized the ransomware gang’s infrastructure, but then in February Blackcat claimed to have exfiltrated 6T bytes of Change Healthcare data in the seismic attack that disrupted healthcare operations across the country.

ON THE RECORD

“During campaigns, Scattered Spider has used targeted social engineering techniques, attempted to circumvent popular endpoint security tools, and deployed ransomware for financial gain,” HC3 said.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

The HIMSS Healthcare Cybersecurity Forum will take place from October 31 to November 1 in Washington, DC More information and registration.