Scattered Spider Tied Fresh Attacks on Financial Services
p
Cybercrime
Finance Banking
Fraud Management Cybercrime
ppElements of a notorious cybercrime and ransomware group mashup appear to be carrying on despite retirement claimsppSee Also New Attacks Skyrocketing Costs The True Cost of a Security BreachppA member of the band of native Englishspeaking adolescent hackers lately calling itself Scattered Lapsus Hunters published Friday a semicoherent screed proclaiming the collective would be going dark Many cybersecurity experts responded with skepticismppEvidence suggests that at least some members of the looseknit hacking collective are continuing to hit targetsppThreat intelligence firm ReliaQuest said its still seeing known indicators of compromise tied to Scattered SpiderppThe firm said a US banking organization it didnt name which one fell victim to a technically sophisticated Scattered Spider attack that occurred after the retirement announcement The attacker attempted to steal data from multiple repositories including the victims accounts with Amazon Web Services and cloudbased data platform Snowflake ppScattered Spider gained initial access by socially engineering an executives account and resetting their password via Azure Active Directory SelfService Password Management From there they accessed sensitive IT and security documents moved laterally through the Citrix environment and VPN and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network ReliaQuest said To escalate privileges the attacker reset a Veeam service account password assigned Azure Global Administrator permissions and relocated virtual machines to evade detection ppThe financial services sector appears to remain at high risk of attack by the group Over the past two months elements of Scattered Spider registered a coordinated set of ticketthemed phishing domains and Salesforce credential harvesting pages designed to target the financial services sector as well as providers of technology services suggesting a continuing focus on those sectors ReliaQuest said ppRegistering lookalike domain names is a repeat tactic used by many attackers from Chinese nationstate groups to Scattered Spider Such URLs are designed to trick victims into thinking a link that they visit is legitimateppIn the case of Scattered Spider the group has frequently registered domains with keywords like okta helpdesk and sso often formatted with hyphens eg SSOcompanycom in reference to single signon ReliaQuest said These domains were registered using infrastructure associated with phishing kits commonly used to host single signon login pages a calling card of Scattered Spiders previous SSOthemed attacks spoofing brands like Okta ppThe Aug 1 registration of the domain name dashboardsalesforcecom which was being used for targeted phishing attacks against Salesforce customers also appeared to be the work of Scattered Spider it saidppMembers of Scattered Spider and ShinyHunters excel at social engineering including voice phishing aka vishing This often involves tricking a help desk into believing the attacker is a legitimate employee leading to passwords being reset and single signon tokens intercepted In some cases experts say the attackers trick a victim into visiting lookalike support panels theyve created which are part of a phishing attack ppSince the middle of the year members of Scattered Spider have breached British retailers Marks Spencer followed by American retailers such as Adidas and Victorias Secret The group has been targeting American insurers such as Aflac and Allianz Life global airlines including Air France KLM and Qantas and technology giants Cisco and Google ppMore recently the group stole customer data from both British carmaker Jaguar Land Rover and Parisbased Kering which operates the fashion brands Gucci Balenciaga and McQueenppMany times the attackers aim has included gaining access to the organizations Salesforce instance after which they exfiltrate large amounts of data ppSecurity experts have been tracking this cluster of threat activity seen beginning in October 2024 as UNC6040ppUNC6040 threat actors commonly call victims call centers posing as IT support employees addressing enterprisewide connectivity issues the FBI said in a Friday advisory Under the guise of closing an autogenerated ticket UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials allowing them access to targeted companies Salesforce instances to exfiltrate customer data ppUNC6040 attacks regularly result in a victim receiving an extortion demand from someone claiming to be a member of the ShinyHunters group seeking a cryptocurrency ransom payment in return for a promise to not leak the stolen data the FBI said These extortion demands can arrive days to months after the intrusion and data exfiltration it saidppThe group now calling itself Scattered Lapsus Hunters sprang from a looseknit cybercrime collective known as The Com which formed by 2022 experts said Initially Scattered Spider and ShinyHunters appeared to be related but separate efforts ppMore recently members of the overarching effort given the tongueincheek name Scattered Lapsus Hunters suggested theres a high degree of crossover to the extent that they were slapping one or the other groups name on an attack depending on the outcome Scattered Spider referred to attacks by the group that involved data exfiltration and ransomware while ShinyHunters attacks involved solely data exfiltration In either case the financially motivated attackers typically focused on extorting victims see Scattered Spider and ShinyHunters Next Move Leaking Data ppExecutive Editor DataBreachToday Europe ISMGppSchwartz is an awardwinning journalist with two decades of experience in magazines newspapers and electronic media He has covered the information security and privacy sector throughout his career Before joining Information Security Media Group in 2014 where he now serves as the executive editor DataBreachToday and for European news coverage Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading among other publications He lives in Scotlandpp
ppCovering topics in risk management compliance fraud and information securityppBy submitting this form you agree to our Privacy GDPR StatementppwhitepaperppwhitepaperppwhitepaperppwhitepaperppwhitepaperppArtificial Intelligence Machine LearningppAttack Surface ManagementppCritical Infrastructure SecurityppData PrivacyppFraud Management CybercrimeppContinue pp
90 minutes Premium OnDemand
ppOverviewppFrom heightened risks to increased regulations senior leaders at all levels are pressured to
improve their organizations risk management capabilities But no one is showing them how
until nowppLearn the fundamentals of developing a risk management program from the man who wrote the book
on the topic Ron Ross computer scientist for the National Institute of Standards and
Technology In an exclusive presentation Ross lead author of NIST Special Publication 80037
the bible of risk assessment and management will share his unique insights on how toppSr Computer Scientist Information Security Researcher
National Institute of Standards and Technology NISTppWas added to your briefcaseppScattered Spider Tied to Fresh Attacks on Financial ServicesppScattered Spider Tied to Fresh Attacks on Financial Servicespp
Just to prove you are a human please solve the equation
ppSign in now ppNeed help registering
Contact support
ppComplete your profile and stay up to dateppContact Support ppCreate an ISMG account now ppCreate an ISMG account now ppNeed help registering
Contact support
ppSign in now ppNeed help registering
Contact support
ppSign in now ppOur website uses cookies Cookies enable us to provide the best experience possible and help us understand how visitors use our website By browsing bankinfosecuritycom you agree to our use of cookiesp
Cybercrime
Finance Banking
Fraud Management Cybercrime
ppElements of a notorious cybercrime and ransomware group mashup appear to be carrying on despite retirement claimsppSee Also New Attacks Skyrocketing Costs The True Cost of a Security BreachppA member of the band of native Englishspeaking adolescent hackers lately calling itself Scattered Lapsus Hunters published Friday a semicoherent screed proclaiming the collective would be going dark Many cybersecurity experts responded with skepticismppEvidence suggests that at least some members of the looseknit hacking collective are continuing to hit targetsppThreat intelligence firm ReliaQuest said its still seeing known indicators of compromise tied to Scattered SpiderppThe firm said a US banking organization it didnt name which one fell victim to a technically sophisticated Scattered Spider attack that occurred after the retirement announcement The attacker attempted to steal data from multiple repositories including the victims accounts with Amazon Web Services and cloudbased data platform Snowflake ppScattered Spider gained initial access by socially engineering an executives account and resetting their password via Azure Active Directory SelfService Password Management From there they accessed sensitive IT and security documents moved laterally through the Citrix environment and VPN and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network ReliaQuest said To escalate privileges the attacker reset a Veeam service account password assigned Azure Global Administrator permissions and relocated virtual machines to evade detection ppThe financial services sector appears to remain at high risk of attack by the group Over the past two months elements of Scattered Spider registered a coordinated set of ticketthemed phishing domains and Salesforce credential harvesting pages designed to target the financial services sector as well as providers of technology services suggesting a continuing focus on those sectors ReliaQuest said ppRegistering lookalike domain names is a repeat tactic used by many attackers from Chinese nationstate groups to Scattered Spider Such URLs are designed to trick victims into thinking a link that they visit is legitimateppIn the case of Scattered Spider the group has frequently registered domains with keywords like okta helpdesk and sso often formatted with hyphens eg SSOcompanycom in reference to single signon ReliaQuest said These domains were registered using infrastructure associated with phishing kits commonly used to host single signon login pages a calling card of Scattered Spiders previous SSOthemed attacks spoofing brands like Okta ppThe Aug 1 registration of the domain name dashboardsalesforcecom which was being used for targeted phishing attacks against Salesforce customers also appeared to be the work of Scattered Spider it saidppMembers of Scattered Spider and ShinyHunters excel at social engineering including voice phishing aka vishing This often involves tricking a help desk into believing the attacker is a legitimate employee leading to passwords being reset and single signon tokens intercepted In some cases experts say the attackers trick a victim into visiting lookalike support panels theyve created which are part of a phishing attack ppSince the middle of the year members of Scattered Spider have breached British retailers Marks Spencer followed by American retailers such as Adidas and Victorias Secret The group has been targeting American insurers such as Aflac and Allianz Life global airlines including Air France KLM and Qantas and technology giants Cisco and Google ppMore recently the group stole customer data from both British carmaker Jaguar Land Rover and Parisbased Kering which operates the fashion brands Gucci Balenciaga and McQueenppMany times the attackers aim has included gaining access to the organizations Salesforce instance after which they exfiltrate large amounts of data ppSecurity experts have been tracking this cluster of threat activity seen beginning in October 2024 as UNC6040ppUNC6040 threat actors commonly call victims call centers posing as IT support employees addressing enterprisewide connectivity issues the FBI said in a Friday advisory Under the guise of closing an autogenerated ticket UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials allowing them access to targeted companies Salesforce instances to exfiltrate customer data ppUNC6040 attacks regularly result in a victim receiving an extortion demand from someone claiming to be a member of the ShinyHunters group seeking a cryptocurrency ransom payment in return for a promise to not leak the stolen data the FBI said These extortion demands can arrive days to months after the intrusion and data exfiltration it saidppThe group now calling itself Scattered Lapsus Hunters sprang from a looseknit cybercrime collective known as The Com which formed by 2022 experts said Initially Scattered Spider and ShinyHunters appeared to be related but separate efforts ppMore recently members of the overarching effort given the tongueincheek name Scattered Lapsus Hunters suggested theres a high degree of crossover to the extent that they were slapping one or the other groups name on an attack depending on the outcome Scattered Spider referred to attacks by the group that involved data exfiltration and ransomware while ShinyHunters attacks involved solely data exfiltration In either case the financially motivated attackers typically focused on extorting victims see Scattered Spider and ShinyHunters Next Move Leaking Data ppExecutive Editor DataBreachToday Europe ISMGppSchwartz is an awardwinning journalist with two decades of experience in magazines newspapers and electronic media He has covered the information security and privacy sector throughout his career Before joining Information Security Media Group in 2014 where he now serves as the executive editor DataBreachToday and for European news coverage Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading among other publications He lives in Scotlandpp
ppCovering topics in risk management compliance fraud and information securityppBy submitting this form you agree to our Privacy GDPR StatementppwhitepaperppwhitepaperppwhitepaperppwhitepaperppwhitepaperppArtificial Intelligence Machine LearningppAttack Surface ManagementppCritical Infrastructure SecurityppData PrivacyppFraud Management CybercrimeppContinue pp
90 minutes Premium OnDemand
ppOverviewppFrom heightened risks to increased regulations senior leaders at all levels are pressured to
improve their organizations risk management capabilities But no one is showing them how
until nowppLearn the fundamentals of developing a risk management program from the man who wrote the book
on the topic Ron Ross computer scientist for the National Institute of Standards and
Technology In an exclusive presentation Ross lead author of NIST Special Publication 80037
the bible of risk assessment and management will share his unique insights on how toppSr Computer Scientist Information Security Researcher
National Institute of Standards and Technology NISTppWas added to your briefcaseppScattered Spider Tied to Fresh Attacks on Financial ServicesppScattered Spider Tied to Fresh Attacks on Financial Servicespp
Just to prove you are a human please solve the equation
ppSign in now ppNeed help registering
Contact support
ppComplete your profile and stay up to dateppContact Support ppCreate an ISMG account now ppCreate an ISMG account now ppNeed help registering
Contact support
ppSign in now ppNeed help registering
Contact support
ppSign in now ppOur website uses cookies Cookies enable us to provide the best experience possible and help us understand how visitors use our website By browsing bankinfosecuritycom you agree to our use of cookiesp
