British hacker linked to famous Scattered Spider group arrested in Spain

June 16, 2024WritingCybercrime / SIM card swap

Law enforcement authorities have reportedly arrested a key member of the notorious cybercrime group called Scattered Spider.

The individual, a 22-year-old man from the United Kingdom, was arrested this week in the Spanish city of Palma de Mallorca while trying to board a flight to Italy. This decision would be the result of a joint effort by the American Federal Bureau of Investigation (FBI) and the Spanish police.

News of the arrest was first reported by Murcia Today on June 14, 2024, with Vx-underground subsequently revealing that the person apprehended is “associated with several other high-profile ransomware attacks carried out by Scattered Spider.”

The malware research group further stated that the individual was a SIM swapper who operated under the alias “Tyler.” SIM swap attacks work by calling the telecommunications carrier to transfer a target's phone number to a SIM card under their control in an attempt to intercept their messages, including one-time passwords (OTP), and take control of their online accounts.

According to security journalist Brian Krebs, Tyler is a 22-year-old Scotsman named Tyler Buchanan, who goes by “tylerb” on Telegram channels linked to SIM swapping.

Tyler is the second member of the Scattered Spider group to be arrested after Noah Michael Urban, who was charged by the U.S. Department of Justice earlier in February with misdemeanor wire fraud and aggravated identity theft.

Scattered Spider, which also overlaps with activity tracked under the monikers 0ktapus, Octo Tempest, and UNC3944, is a financially motivated threat group infamous for orchestrating sophisticated social engineering attacks to gain initial access to organizations. Members of the group are believed to be part of a larger cybercriminal gang called The Com.

Initially focused on credential harvesting and SIM swapping, the group has since adapted its trade to focus on ransomware and data extortion, before moving on to non-encryption extortion attacks that aim to steal data from SaaS (Software-as-a-Service) applications.

“Evidence also suggests that UNC3944 sometimes used scare tactics to gain access to victims’ identifying information,” Google-owned Mandiant said. “These tactics include threats of hacking personal information, physical violence against victims and their families, and the distribution of incriminating material.”

Mandiant told The Hacker News that the activity associated with UNC3944 bears some level of similarities to another cluster tracked by Palo Alto Networks Unit 42 under the name Muddled Libra, which has also been observed targeting SaaS applications to exfiltrate sensitive data. He stressed, however, that they “should not be considered 'the same'.”

The names 0ktapus and Muddled Libra come from the threat actor's use of a phishing kit designed to steal Okta login credentials and which has since been used by several other hacking groups.

“UNC3944 also exploited Okta permission abuse techniques by self-assigning a compromised account to each application in an Okta instance to extend the scope of the intrusion beyond on-premises infrastructure to cloud applications and SaaS,” Mandiant noted.

“With this escalation of privilege, the malicious actor could not only abuse applications that leverage Okta for single sign-on (SSO), but also perform internal reconnaissance through the use of the Okta web portal by visually observing which application tiles application were available after these role assignments.

Attack chains are characterized by using legitimate cloud sync utilities such as Airbyte and Fivetran to export data to attacker-controlled cloud storage buckets, as well as taking steps to perform reconnaissance. in-depth, implement persistence through the creation of new virtual machines and weaken defenses. .

Additionally, Scattered Spider has been observed using endpoint detection and response (EDR) solutions to execute commands such as whoami and quser to test access to the environment.

“UNC3944 continued to access Azure, CyberArk, Salesforce, and Workday and performed deeper reconnaissance within each of these applications,” the threat intelligence firm said. “Specifically for CyberArk, Mandiant observed downloading and use of the psPAS PowerShell module specifically to programmatically interact with an organization's CyberArk instance.”

Targeting the CyberArk Privileged Access Security (PAS) solution is also a pattern seen in RansomHub ransomware attacks, raising the possibility that at least one Scattered Spider member has become an affiliate of the ransomware-as-a-service nascent. (RaaS), according to GuidePoint Security.

The evolving tactics of bad actors further coincide with their active targeting of the financial and insurance industries using convincing lookalike domains and login pages for credential theft.

The FBI told Reuters last month it was laying the groundwork to charge hackers in the group which is linked to attacks targeting more than 100 organizations since it emerged in May 2022.