After Scattered Spider claimed to retire alongside a collective of ransomware gangs, research from ReliaQuest suggests the group has already returned to target the financial sector. 

Scattered Spider has been active this year, targeting retail, insurance, and transportation and airlines. Cyber experts questioned the group’s claims of departing, so it is unsurprising to many that the group has returned and focused on a new target. 

Jason Soroko, Senior Fellow at Sectigo, explains, “Organizations should assume Scattered Spider remains active and focused on identity takeover within financial services. The group favors social engineering to trigger self-service password reset in Azure AD especially against executives and helpdesk processes then uses the new foothold to raid cloud and on premises control planes. After initial access, they pivot through Citrix and VPN and compromise ESXi to harvest credentials and broaden reach. They escalate privileges by resetting service accounts such as Veeam and by granting Azure Global Administrator rights while relocating virtual machines to stay out of sight. Expect use of lookalike domains that imitate financial brands and internal portals to aid pretexting and credential capture. Data discovery and exfiltration attempts will target cloud stores including Snowflake and AWS along with internal file shares and ticketing or wiki systems. The operation style is hands on keyboard and blends living off the land techniques with fast role changes and admin tool abuse which can blind native telemetry.” 

The research identifies “circumstantial evidence” suggesting ShinyHunters, another ransomware group, is collaborating with Scattered Spider in these attacks, as the attacks are attributed to ShinyHunters yet involve trademarks of Scattered Spider’s techniques. These include: 

• Impersonating IT support via targeted vishing campaigns, convincing employees to authorize access to malicious apps 
• Malicious apps mimicking legitimate tools, enabling threat actors to access and steal sensitive data 
• Phishing pages with Okta theming that deceive targets into inputting credentials during vishing calls
• Leveraging Mullvad VPN to enable VPN obfuscation and exfiltrate data 

Shane Barney, Chief Information Security Officer at Keeper Security, remarks, “Attackers don’t need to break into systems if they can trick people in order to hijack privileged accounts. Scattered Spider’s apparent pivot to the financial sector is a wake-up call that no industry is off-limits. Any organization managing sensitive data or payments should assume they are a target. For financial institutions in particular, administrator accounts and SaaS platforms are prime targets for theft and extortion, making strong security controls an urgent focus.”