FBI, CISA warn of more Scattered Spider attacks to come

Users display warnings about the use of artificial intelligence (AI), access to malicious software or threats to online hackers. computer cyber security Warning concept or tech scam.

(Image credit: Shutterstock)

Scattered Spider is evolving, CISA, FBI and others have warned
Hackers are employing additional malware, including DragonForce
Companies should use phishing-resistant MFA to defend

Scattered Spider is only getting warmed up with its cyberattacks, and businesses should be on their guard for possible attacks, law enforcement forces have said.

A warning given by the US Cybersecurity and Infrastructure Security Agency (CISA), and a handful of other security agencies in Canada, the UK, and Australia, says the group has evolved to use more advanced social engineering - mostly impersonating employees to trick IT help desks into resetting passwords and transferring MFA tokens to attacker-controlled devices.

The hackers have also added new malware such as RattyRAT for stealthy access and DragonForce ransomware to encrypt systems and demand payment - especially targeting VMware ESXi servers.

More to come

Also known as Okto Tempest (and a handful of other names), Scattered Spider is described as a highly aggressive and sophisticated cybercriminal group known for targeting major companies through social engineering, phishing, and identity-focused attacks.

The group is infamous for its use of SIM swapping, MFA fatigue attacks, and help desk impersonation to gain initial access, and it’s the latter that CISA is now further stressing.

Scattered Spider is generally engaged in double-extortion attacks, exfiltrating sensitive files to third-party servers before encrypting the target infrastructure. To store the stolen files, they’re using MEGA.nz and Amazon S3, and in some cases, they’ve run thousands of queries against Snowflake environments to steal large volumes of data quickly.

To stay hidden, they create fake identities backed by social media profiles, monitor internal communications like Slack and Microsoft Teams, and even join incident response calls to learn how defenders are reacting.

CISA says more Scattered Spider attacks are to be expected in the coming weeks and months, and urges organizations to use phishing-resistant MFA (like FIDO/WebAuthn), audit and restrict remote access tools, monitor risky logins and unusual account behavior, maintain offline, encrypted backups, segment networks, and patch known vulnerabilities.

Via Cybernews

Scattered Spider hackers are targeting US critical infrastructure via VMware attacks
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More to come

You might also like