First is Scattered Spider, a loosely connected hacking collective, which has re-emerged. They have recently started a devastating campaign of cyber operations against the financial sector. This collective is part of an even larger digital network known as The Com. Most recently, they put their talents on display as they attempted to exfiltrate sensitive information from the biggest players in the game, like Snowflake and Amazon Web Services (AWS). Even after announcing their retirement, Scattered Spider’s operations indicate a strategic withdrawal at most and not complete dissolution.
Over the last few months, Scattered Spider has made several provocative claims and stolen more than 1.5 billion records from Salesforce. They attacked 760 companies, deploying their exploit by using stolen Salesloft Drift OAuth tokens. This increasingly concerning statistic highlights how extensive this group’s reach and capability is in terms of penetrating corporate networks to steal sensitive information. The collective has undertaken measures such as resetting Veeam service account passwords and granting Azure Global Administrator permissions to navigate around detection systems.
The timing of these operations is what’s truly alarming. They follow immediately after another financially driven hacking collective, known as UNC6040 by Google’s Mandiant unit, breached similar targets. This overlap indicates that Scattered Spider is likely taking advantage of weaknesses created by prior hacks.
Manipulating Access and Credentials
One of the group’s main strategies is to spoof Okta Single Sign-On (SSO) login pages. They focus on high-value sectors such as investment banking and luxury retail to collect credentials. Scattered Spider also produces realistic reproductions of authentic login portals. This tactic provides them the best means to infiltrate, compromise, and extract user data that’s crucial for operations across all sectors and industries.
They’ve smartly used platforms like Vapi and Bland AI. Their objective is to obtain unauthorized access to the SSO platforms that are commonly utilized in the retail, airline, and telecom industries. Scattered Spider also demonstrates impressive technical sophistication. Further, it smartly focuses on industries that control an enormous amount of financial information.
“Unlike static robot voice calls, the AI model dynamically generates voices and adjusts tone and responses to sustain credibility and manipulate the target,” – EclecticIQ
Their use of cutting-edge AI tools in their phishing campaigns has helped give Scattered Spider a significant advantage. The group employs complex dialogue management systems to execute massive vishing (voice phishing) campaigns. This strategy serves to further confuse victims and prevent them from seeing the nasty tricks that scammers are up to.
Collaboration with ShinyHunters
Beyond its independent activities, Scattered Spider has been working with another hacking collective called ShinyHunters. This collaboration has allowed for the execution of advanced vishing attacks, combining ShinyHunters’ infrastructure capabilities and knowledge on social engineering.
ShinyHunters isn’t just opportunistically targeting corporate networks. They do this by socially engineering the users that own executive accounts and getting those passwords reset via Azure Active Directory Self-Service Password Management. This sniper-style approach to infiltration does a great job of illustrating the amount of planning that goes into their operations.
“ShinyHunters is expanding its operations by combining AI-enabled voice phishing, supply chain compromises, and leveraging malicious insiders,” – Arda Büyükkaya
The collective’s strategy aims to hit outside weaknesses. It further aims to corrupt insiders on the public and private sides of the civil space to obtain direct access to the networks of enterprises. These tactics have resulted in some of the largest and most damaging data breaches. Jumping the gun on alarmism, though their format is a bit extreme, their concerns certainly resonate.
Extortion Efforts and Ongoing Threats
In at least one instance, Scattered Spider has exfiltrated sensitive data from victims’ Salesforce instances. They have now moved to outright extortion, demanding payment to keep them from releasing this data publicly. Cybercriminals have happily jumped on this bandwagon. They consider monetary gain to be more lucrative than simply stealing and reselling data.
Karl Sigler, security research manager of SpiderLabs Threat Intelligence at Trustwave, was very puzzled. He mocked Scattered Spider’s past retirement announcements. He conceded that the announcement probably operates mainly as a signal. It seeks to insulate the collective from the increasing threat of police repression rather than serve as an announcement of a cessation of their work.
“The recent claim that Scattered Spider is retiring should be taken with a significant degree of skepticism,” – Karl Sigler
As the cyber threat landscape continues to change, organizations need to stay one step ahead of the tactics used by attackers such as Scattered Spider. This shadowy group is stepping up its campaign by adding more lookalike domains. They are constantly hunting for innovative new ways to exploit vulnerabilities within targeted industries.