The Scattered Spider hacking group is on the move again, security agencies have warned, adding new ransomware and improved social engineering techniques to its repertoire.
In a joint international advisory, the FBI and other cybersecurity agencies said the group is now using DragonForce ransomware and other new variants, and is exploiting remote access tools such as AnyDesk to bypass security alerts.
The group has also started using a new social engineering technique, the advisory warned. While the group has been observed posing as IT help desk workers to target employees, it’s now impersonating employees to ask IT teams to reset passwords or transfer MFA tokens.
This technique is used by the group to perform account takeovers in single sign-on (SSO) environments, the FBI noted.
Similarly, the group is also conducting ‘push bombing’ - repeatedly hitting the user with verification requests until one's finally accepted - and SIM swapping attacks, allowing them to intercept text messages containing one-time passwords.
Scattered Spider has also been spotted targeting corporate Snowflake accounts for initial network access and data theft.
Nick Tausek, lead security automation architect at Swimlane, said the new techniques employed by the ransomware outfit should “raise a lot of red flags” and urged enterprises to remain vigilant.
"Access to an organization’s Snowflake allows the group to run thousands of queries immediately and simultaneously, often deploying DragonForce malware to encrypt target organizations’ servers," he explained.
"The potential for vast amounts of stolen data explains why they’ve been successful across multiple industries, from insurance to transportation to retail."
Scattered Spider is infiltrating Teams and Slack
Notably, the FBI advisory warned Scattered Spider has also been infiltrating workplace collaboration platforms like Slack or Microsoft Teams to gather information which is then used in phishing attacks against employees.
Microsoft Exchange email accounts are also a top target for the group, agencies noted.
Reconnaissance on employees involves extensive research of a company website to gather information and “determine the individual’s role in a target organization”.
"These social engineering attempts are enriched by access to personal information derived from social media, open source information, commercial intelligence tools, and database leaks," the advisory added.
The hackers have even set up fake identities and taken part in company teleconferences and remediation and response calls to gather security information.
"Entering incident remediation and response calls undetected in order to identify how security teams are adapting to their attacks is a clever strategy to remain ahead," Tausek said.
"Listening in on these calls gives them access to information like how they’re being hunted, and what adjustments security teams will make to prevent future attacks."
Scattered Spider has been on a rampage
Scattered Spider is believed to have been responsible for a large wave of attacks in recent months, with victims including British retailers and insurance firms.
More recently, threat intelligence reports have suggested the group has turned its attention to the airline industry, which represents a lucrative source of potential victims.
Most targets have been in the UK and US, with Marks & Spencer (M&S), the Co-op, and Harrods all targeted by the ransomware gang.
The agencies advise organizations to keep a watchful eye for unauthorized account activity and 'risky logins' where sign-in attempts have been flagged as suspicious.
They should also maintain offline backups of sensitive data and store it separately from source systems. Similarly, they should focus on enforcing phishing-resistant multifactor authentication (MFA) and implementing application controls to manage software execution.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Interlock ransomware gang is ramping up activity, CISA warns
- Can the UK ban ransomware payments?
- Nearly half of MSPs admit to having a ransomware kitty
-
Acer’s laptop made from oyster shells is now available in the UKNews The Acer Aspire Vero 16 aims to combine performance and sustainability, the company said
-
UK cybersecurity workers are overworked and burning out faster than global counterpartsNews Gaps in visibility, poor board communication, and a lack of cyber maturity are leading to high levels of burnout
-
UK cybersecurity workers are overworked, overwhelmed, and burning out faster than global counterparts — here's why
News Gaps in visibility, poor board communication, and a lack of cyber maturity are leading to high levels of burnout
-
Global cybersecurity spending is going to hit $213 billion in 2025 — here's what’s driving investmentNews Spending across major fronts comes in the wake of rising cloud security threats and growing skills gaps
-
A flaw in Google’s new Gemini CLI tool could’ve allowed hackers to exfiltrate dataNews The company has moved to fix a vulnerability that allowed the execution of malicious code
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crimeNews A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
Everything we know about the Allianz Life data breach so farNews The company has confirmed in a filing that data was accessed earlier this month
-
ExpressVPN updates Windows app to fix vulnerabilityNews The flaw was reported through ExpressVPN's bug bounty program
-
NCSC says ‘limited number’ of UK firms affected by SharePoint attack as global impact spreadsNews The SharePoint flaw has already had a wide impact according to reports from government security agencies
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victimsNews Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
