The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
The Scattered Spider hacking group is on the move again, security agencies have warned, adding new ransomware and improved social engineering techniques to its repertoire.
In a joint international advisory, the FBI and other cybersecurity agencies said the group is now using DragonForce ransomware and other new variants, and is exploiting remote access tools such as AnyDesk to bypass security alerts.
The group has also started using a new social engineering technique, the advisory warned. While the group has been observed posing as IT help desk workers to target employees, it’s now impersonating employees to ask IT teams to reset passwords or transfer MFA tokens.
This technique is used by the group to perform account takeovers in single sign-on (SSO) environments, the FBI noted.
Similarly, the group is also conducting ‘push bombing’ - repeatedly hitting the user with verification requests until one's finally accepted - and SIM swapping attacks, allowing them to intercept text messages containing one-time passwords.
Scattered Spider has also been spotted targeting corporate Snowflake accounts for initial network access and data theft.
Nick Tausek, lead security automation architect at Swimlane, said the new techniques employed by the ransomware outfit should “raise a lot of red flags” and urged enterprises to remain vigilant.
"Access to an organization’s Snowflake allows the group to run thousands of queries immediately and simultaneously, often deploying DragonForce malware to encrypt target organizations’ servers," he explained.
"The potential for vast amounts of stolen data explains why they’ve been successful across multiple industries, from insurance to transportation to retail."
Scattered Spider is infiltrating Teams and Slack
Notably, the FBI advisory warned Scattered Spider has also been infiltrating workplace collaboration platforms like Slack or Microsoft Teams to gather information which is then used in phishing attacks against employees.
Microsoft Exchange email accounts are also a top target for the group, agencies noted.
Reconnaissance on employees involves extensive research of a company website to gather information and “determine the individual’s role in a target organization”.
"These social engineering attempts are enriched by access to personal information derived from social media, open source information, commercial intelligence tools, and database leaks," the advisory added.
The hackers have even set up fake identities and taken part in company teleconferences and remediation and response calls to gather security information.
"Entering incident remediation and response calls undetected in order to identify how security teams are adapting to their attacks is a clever strategy to remain ahead," Tausek said.
"Listening in on these calls gives them access to information like how they’re being hunted, and what adjustments security teams will make to prevent future attacks."
Scattered Spider has been on a rampage
Scattered Spider is believed to have been responsible for a large wave of attacks in recent months, with victims including British retailers and insurance firms.
More recently, threat intelligence reports have suggested the group has turned its attention to the airline industry, which represents a lucrative source of potential victims.
Most targets have been in the UK and US, with Marks & Spencer (M&S), the Co-op, and Harrods all targeted by the ransomware gang.
The agencies advise organizations to keep a watchful eye for unauthorized account activity and 'risky logins' where sign-in attempts have been flagged as suspicious.
They should also maintain offline backups of sensitive data and store it separately from source systems. Similarly, they should focus on enforcing phishing-resistant multifactor authentication (MFA) and implementing application controls to manage software execution.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Interlock ransomware gang is ramping up activity, CISA warns
- Can the UK ban ransomware payments?
- Nearly half of MSPs admit to having a ransomware kitty
-
Low-budget devices are the biggest casualty of the RAM crisisNews Say goodbye to budget devices; vendors are doubling down on high-end options to absorb costs
-
Sectigo taps Clint Maddox to lead global field operationsReviews The appointment follows a year of strong momentum for the security vendor as it expands its global channel footprint
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in lifeNews With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Ransomware gangs are sharing virtual machines to wage cyber attacks on the cheap – but it could be their undoingNews Thousands of attacker servers all had the same autogenerated Windows hostnames, according to Sophos
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
