Cybersecurity Alert - FINRA Notifies Members of Joint CISA & FBI Cybersecurity Advisory (AA23-320A)

Impact: All Firms 

Firms should review this information with any vendors who provide information technology services to the firm.

Due to increased reports related to cyber incidents occurring at FINRA member firms which have been attributed to specific threat actors, the Cyber and Analytics Unit (CAU) within FINRA’s Member Supervision Program is highlighting a recent joint Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) Cybersecurity Advisory published on November 16, 2023, which may be updated as new intelligence is uncovered. 

Scattered Spider, the subject of the CISA/FBI Cybersecurity Advisory, is a threat actor who has also been linked to BlackCat/ALPHV ransomware. Other aliases for the group known as Scattered Spider include Octo Tempest and UNC3944. The tempest designation by Microsoft indicates this is a financially motivated threat actor.1

FINRA member firms may consider enhancing end-user awareness in response to this Alert, which may include communicating with employees about the threat, explaining the importance of employee vigilance, and ensuring employees understand the risks posed by non-compliance. This recommendation is due to the known use of social engineering by Scattered Spider as a tactic to obtain initial access to organizations, including member firms. As indicated in open-source reports, Scattered Spider may deploy Blackcat/ALPHV ransomware against victim organizations once the group has obtained initial access to those victim organizations through social engineering, which involves tricking unsuspecting individuals into doing something unintended (e.g., clicking a malicious link or disclosing a password to the threat actor). Financially motivated threat actors are known to deploy a wide variety of extortion tactics against victim organizations, including recent reports of filing SEC Complaints against victims for failing to disclose the incident.

Examples of social engineering tactics leveraged by Scattered Spider as noted in the subject Cybersecurity Advisory include: 

  • Posed as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network.
  • Posed as company IT and/or helpdesk staff to direct employees to run commercial remote access tools enabling initial access.
  • Posed as IT staff to convince employees to share their one-time password (OTP), an MFA authentication code.
  • Sent repeated MFA notification prompts leading to employees pressing the “Accept” button (also known as MFA fatigue).
  • Convinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card they controlled, gaining control over the phone and access to MFA prompts.
  • Monetized access to victim networks in numerous ways including extortion enabled by ransomware and data theft.

As part of an enhanced cybersecurity posture, member firms may consider the below effective practices.

  • Review the Cybersecurity Advisory and outlined indicators of compromise.
  • Patch Microsoft Exchange servers.
  • Increase employee awareness of the threats posed by social engineering.
  • Monitor for leaked employee credentials.

For questions related to this Alert or other cybersecurity-related topics, contact the FINRA Cyber and Analytics Unit (CAU). As indicated in the Advisory, both the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, report the incident to the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

1Microsoft names cyber threat actors using a weather theme. The usage of tempest in the name indicates the belief that this threat actor is motivated by financial incentives.