Commit 09_25_2023: Schrödinger's Scattered Spider

Bankim Desai / Unsplash

Hello, and welcome to Commit 09_25_2023! README senior editor Nathaniel Mott here from rainy upstate New York with coverage of the group that hacked MGM Resorts, a new exploit chain used to deliver iOS spyware and more.

WaPo and Reuters: Collecting information about Scattered Spider

The Washington Post and Reuters both published reports on Sept. 22 about Scattered Spider, a threat actor believed to have collaborated with the ALPHV ransomware gang on attacks against MGM Resorts, Caesars Entertainment and at least three other organizations. The reports agreed that Scattered Spider is likely composed of financially motivated English-speaking youths with a knack for bypassing multi-factor authentication via a variety of tactics.

Like I said in the Sept. 14 installment of Changelog, it's clear that existing MFA implementations are ineffective against many threat actors. Lapsus$ showed that bored teens could bypass the security of some of the world's largest tech companies. The difference with Scattered Spider seems to be that it's actually looking to make some money, whereas Lapsus$ primarily seemed to be interested in sowing chaos. Are we supposed to think these groups of young hackers are succeeding where nation-state hackers would fail? And how long will it take for security companies to see techniques like this as commonplace rather than signs of a noteworthy threat actor?

But hey, at least now I have a better understanding of this gro-

CyberScoop: Yeah, that ain’t Scattered Spider, dude

CyberScoop also reported on the group behind the MGM Resorts and Caesars Entertainment hacks on Sept. 22. The difference: It didn’t attribute the attacks to Scattered Spider. Instead, the outlet reported that at least some security researchers believe the Scattered Spider moniker mistakenly “lumps the activities of multiple disparate and sometimes rival groups from within the Com ecosystem into one entity.”

And what, pray tell, is “the Com ecosystem”? CyberScoop described it as “a small online community of primarily young people dedicated to carrying out brash incursions” that can serve “as a radicalizing environment” for young people “pulling off high-profile hacks using advanced skills and loudly bragging about their exploits in language filled with racism and misogyny.” This is exactly why so many researchers are careful with their attribution of particular attacks—they never know when one spider might be many, or turn out to be a scorpion, or end up being some other thing that kinda looks like a spider but isn’t.

TAG and CL: Predator circles its prey

Google's Threat Analysis Group and Citizen Lab published on Sept. 22 two reports on a new zero-day exploit chain used to deliver the Predator spyware to former Egyptian MP Ahmed Eltantawy's iPhone as part of a campaign that appears to have started in May. Apple released patches for the vulnerabilities involved in this exploit chain—CVE-2023-41991, CVE-2023-41992 and CVE-2023-41993—on Sept. 21.

The chain started with a remote code execution vulnerability in the Safari browser that could be exploited when someone visited a website using HTTP rather than HTTPS. From there, the other vulns were used to bypass the pointer authentication security measure used in the Arm chips found in Apple's products and achieve local privilege escalation, which allowed the attacker to deploy the Predator spyware to the device.

"This campaign is yet another example of the abuses caused by the proliferation of commercial surveillance vendors and their serious risk to the safety of online users," Google security researcher Maddie Stone said in a blog post. "TAG will continue to take action against, and publish research about, the commercial spyware industry, as well as work across the public and private sectors to push this work forward."

BC and TC: Additional victims of the MOVEit Transfer hacking spree come forward

It's been a while since I've checked in on the fallout from the MOVEit Transfer vulnerabilities revealed in June. (The ones that prompted countless researchers to go hunting for additional flaws in the product while the Cl0p ransomware gang started to extort the organizations it hacked.) That changed with new reports from BleepingComputer and TechCrunch.

BleepingComputer reported on Sept. 23 that National Student Clearinghouse said the "names, dates of birth, contact information, Social Security numbers, student ID numbers, and some school-related records" of students at 890 schools across the U.S. were compromised via an attack on its MOVEit Transfer server. TechCrunch, meanwhile, today reported that "hackers copied more than a decade’s worth of data including fertility, pregnancy, newborn and child health care offered between January 2010 and May 2023" after gaining access to a MOVEit Transfer server operated by BORN Ontario.

CoinDesk: Surprise! Another crypto project lost $200M

Stop me if you've heard this one before: hundreds of millions of dollars have been stolen from a cryptocurrency project. (Alright, fine, don't actually stop me. Let's do this.) CoinDesk today reported that Mixin Network, "a service similar to a layer-2 protocol, designed to make cross-chain transfers cheaper and more efficient," confirmed someone made off with approximately $200 million worth of cryptocurrency.

I wonder who could've possibly carried out such a hack! Or at least I would if Elliptic hadn't reported just last week that the North Korea-linked Lazarus Group has made off with something like $300 million worth of crypto in about 100 days. If the group is responsible for this attack—and I think many people would be surprised if it wasn't—popping Mixin would've nearly doubled its haul over the course of a single weekend.