- Scattered Spider gang has resumed attacks, targeting a US bank despite claiming to go dark
- Hackers used vishing and Okta-themed phishing to bypass MFA and exfiltrate sensitive data
- Group linked to major breaches, including Salesforce leak affecting over 700 companies
It seems retirement doesn’t suit Scattered Spider, as the infamous threat actor has been observed targeting banking organizations in the US, despite claims it was “going dark”.
Security researchers ReliaQuest have published a new report claiming to have seen evidence of new activity by the hackers.
Among the evidence are multiple lookalike domains linked to the fintech vertical, as well as a victim - a US banking organization.
Social engineering
To breach the target organization, Scattered Spider apparently went for vishing (voice phishing). The group would call employees on the phone, impersonate IT staff and convince them to authorize access to malicious “connected apps”.
These apps, seemingly benign (spoofing Salesforce, or similar), allowed the miscreants to exfiltrate sensitive business data. To steal the login credentials, the attackers used Okta-themed phishing pages, successfully bypassing security controls such as multi-factor authentication.
"Scattered Spider gained initial access by socially engineering an executive's account and resetting their password via Azure Active Directory Self-Service Password Management," it said in the report.
"From there, they accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network."
Scattered Spider is one of the three groups that are allegedly behind the breaches at Jaguar Land Rover (JLR), Marks & Spencer, The Co-op, Harrods, and many others.
Recently, the group announced it was “going dark” - and some researchers believe the hackers fear a response from law enforcement, while others think this could be an easy way to rebrand or pivot.
It could be both, though. Scattered Spider is also being linked to the large Salesforce / Salesdrift data leak, as well, which seems to have affected more than 700 companies. If these claims turn out to be authentic, this would be one of the biggest breaches in recent history and, as such, would definitely draw the attention of the FBI, and possibly even the NSA.
Via The Hacker News
You might also like
- Scattered Spider hackers are targeting US critical infrastructure via VMware attacks
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
