The FBI and CISA have issued a warning about hacking group Scattered Spider:
“Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) engages in data extortion and several other criminal activities.[1] Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA). According to public reporting, Scattered Spider threat actors have:
- Posed as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network.
- Posed as company IT and/or helpdesk staff to direct employees to run commercial remote access tools enabling initial access.
- Posed as IT staff to convince employees to share their one-time password (OTP), an MFA authentication code.
- Sent repeated MFA notification prompts leading to employees pressing the “Accept” button (also known as MFA fatigue).
- Convinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card they controlled, gaining control over the phone and access to MFA prompts.
- Monetized access to victim networks in numerous ways including extortion enabled by ransomware and data theft.”