Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims

Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims

Briefly

"Scattered Spider gained initial access by socially engineering an executive's account and resetting their password via Azure Active Directory Self-Service Password Management," the company said. From there, they accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network. To achieve privilege escalation, the attackers reset a Veeam service account password, assigned Azure Global Administrator permissions, and relocated virtual machines to evade detection."

"Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector. This is supported by an increase in lookalike domains potentially linked to the group that are geared towards the industry vertical, as well as a recently identified targeted intrusion against an unnamed U.S. banking organization. There are also signs that Scattered Spider attempted to exfiltrate data from Snowflake, Amazon Web Services (AWS), and other repositories."

"The recent activity undercuts the group's claims that they were ceasing operations alongside 14 other criminal groups, such as LAPSUS$. Scattered Spider is the moniker assigned to a loose-knit hacking collective that's part of a broader online entity called The Com. The group also shares a high degree of overlap with other cybercrime crews like ShinyHunters and LAPSUS$, so much so that the three clusters formed an overarching entity named "scattered LAPSUS$ hunters.""