The authorities have reportedly apprehended a significant member of the infamous cybercrime syndicate known as Dispersed Spider.
The person, a 22-year-old individual from the UK, was detained earlier this week in Palma de Mallorca, Spain, while trying to catch a flight to Italy. It is said to be a collaborative operation involving the FBI and the Spanish Police.
Murcia Today initially reported about the arrest on June 14, 2024, with vx-underground subsequently disclosing that the detained individual is “linked to various other high profile extortion schemes conducted by Scattered Spider.”
The research unit dealing with malware also mentioned that the person was a SIM swapper operating under the pseudonym “Tyler.” SIM-swapping assaults involve contacting the telecom provider to switch a target’s phone number to a SIM card under the attacker’s control, aiming to intercept their messages, including one-time passwords (OTPs), and taking control of their online accounts.
As per cybersecurity reporter Brian Krebs, Tyler is assumed to be a 22-year-old individual named Tyler Buchanan from Scotland, known as “tylerb” on Telegram channels associated with SIM-swapping.
Tyler is the second member of the Dispersed Spider group to be apprehended following Noah Michael Urban, who was indicted by the US Department of Justice in February for wire fraud and aggravated identity theft charges.
Dispersed Spider, which is also associated with entities tracked under aliases 0ktapus, Octo Tempest, and UNC3944, is a financial-driven threat group notorious for organizing complex manipulative attacks to gain initial entry into organizations. Members of this group are suspected to play a role in a larger cybercriminal faction known as The Com.
Initially concentrating on collecting credentials and SIM-swapping, the group has evolved its tactics to focus on ransomware and data extortion, and subsequently transitioning to encryption-less extortion tactics designed to pilfer data from software-as-a-service (SaaS) platforms.
“Evidence also indicates UNC3944 has at times resorted to intimidation methods to acquire victim credentials,” mentioned Mandiant, owned by Google. “These methods include threats of exposing personal data, physical harm to victims and their families, and circulating compromising material.”
Mandiant informed The Hacker News that activities linked to UNC3944 exhibit some resemblance to another group monitored by Palo Alto Networks Unit 42 called Muddled Libra, focusing on targeting SaaS platforms to extract sensitive information. However, it underscored that they are not identical.
The names 0ktapus and Muddled Libra stem from the cybercriminal group’s usage of a phishing tool designed to extract Okta login credentials, which has been adopted by numerous other hacking collectives.
“UNC3944 has also utilized techniques of Okta permission misuse by self-assigning a compromised account to all applications in an Okta instance to broaden the intrusion reach beyond on-premises infrastructure to Cloud and SaaS apps,” Mandiant highlighted.
“Through this privilege boost, the threat actor could not only misuse apps that rely on Okta for single sign-on (SSO), but also conduct internal reconnaissance by visually observing available application tiles post these role assignments on the Okta web interface.”
The attack sequences involve utilizing legitimate cloud synchronization tools like Airbyte and Fivetran to export the data to cloud storage containers controlled by the attacker, coupled with carrying out in-depth reconnaissance, establishing persistence by crafting new virtual machines, and undermining security measures.
In addition, Dispersed Spider has been seen leveraging endpoint detection and response (EDR) solutions to execute commands like whoami and quser to check entry into the environment.
Sybersecurity experts stated that UNC3944 persisted in accessing Azure, CyberArk, Salesforce, and Workday, carrying out additional reconnaissance within each of these platforms. The threat intelligence firm noted, “Regarding CyberArk, Mandiant has detected the retrieval and deployment of the PowerShell module psPAS specifically for automated interaction with an organization’s CyberArk instance.”
An inclination towards targeting the CyberArk Privileged Access Security (PAS) solution has been a recurring trend in RansomHub ransomware assaults, implying that a Scattered Spider member might have transitioned into an affiliate for the emerging ransomware-as-a-service (RaaS) scheme, as per GuidePoint Security.
The evolution of the threat actor’s strategies also aligns with the deliberate targeting of the financial and insurance sectors using sophisticated imitative domains and login pages to pilfer credentials, as identified by resilience-threat researchers.
Reuters reported last month that the FBI is in the process of preparing charges against hackers associated with the group responsible for victimizing more than 100 organizations since its inception in May 2022, as per official statements.
About Author
