Scattered Spider hackers return to hit more victims - despite retirement claims

News
By published

The group said it would "go dark" - but it's still hitting targets

World Password Day 2025
(Image credit: Shutterstock)
  • Scattered Spider gang has resumed attacks, targeting a US bank despite claiming to go dark
  • Hackers used vishing and Okta-themed phishing to bypass MFA and exfiltrate sensitive data
  • Group linked to major breaches, including Salesforce leak affecting over 700 companies

It seems retirement doesn’t suit Scattered Spider, as the infamous threat actor has been observed targeting banking organizations in the US, despite claims it was “going dark”.

Security researchers ReliaQuest have published a new report claiming to have seen evidence of new activity by the hackers.

Among the evidence are multiple lookalike domains linked to the fintech vertical, as well as a victim - a US banking organization.

Social engineering

To breach the target organization, Scattered Spider apparently went for vishing (voice phishing). The group would call employees on the phone, impersonate IT staff and convince them to authorize access to malicious “connected apps”.

These apps, seemingly benign (spoofing Salesforce, or similar), allowed the miscreants to exfiltrate sensitive business data. To steal the login credentials, the attackers used Okta-themed phishing pages, successfully bypassing security controls such as multi-factor authentication.

"Scattered Spider gained initial access by socially engineering an executive's account and resetting their password via Azure Active Directory Self-Service Password Management," it said in the report.

"From there, they accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network."

Scattered Spider is one of the three groups that are allegedly behind the breaches at Jaguar Land Rover (JLR), Marks & Spencer, The Co-op, Harrods, and many others.

Recently, the group announced it was “going dark” - and some researchers believe the hackers fear a response from law enforcement, while others think this could be an easy way to rebrand or pivot.

It could be both, though. Scattered Spider is also being linked to the large Salesforce / Salesdrift data leak, as well, which seems to have affected more than 700 companies. If these claims turn out to be authentic, this would be one of the biggest breaches in recent history and, as such, would definitely draw the attention of the FBI, and possibly even the NSA.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.