Cybersecurity researchers tie new financial sector attacks to Scattered Spider
Sharp rise in lookalike domains reported in sector
The company said it has observed a sharp rise in lookalike domains aimed at the financial sector, as well as evidence of a targeted intrusion at a US banking organisation.
According to ReliaQuest, the attackers gained initial access by socially engineering an executive into resetting their password using Azure Active Directory’s self-service function. Once inside, they accessed sensitive IT and security documentation, moved laterally through Citrix and VPN environments, and compromised VMware ESXi servers to steal credentials and expand their reach.
The group is also suspected of attempting to exfiltrate data from Snowflake, AWS and other cloud repositories. Privilege escalation techniques included resetting a Veeam service account password, assigning Azure Global Administrator rights, and moving virtual machines to evade detection.
Ceasing operations
Scattered Spider announced earlier this year that it was ceasing operations alongside groups such as LAPSUS$, but ReliaQuest and other researchers suggest the retirement was little more than a smokescreen.
“The recent claim that Scattered Spider is retiring should be taken with a significant degree of scepticism,” said Karl Sigler, security research manager at SpiderLabs, Trustwave. “This looks more like a strategic retreat to avoid law enforcement attention and to make attribution harder.”
Scattered Spider is thought to be part of a broader cybercrime collective known as The Com, and shares close links with crews including ShinyHunters and LAPSUS$. Past activity has involved data theft and extortion campaigns against enterprise platforms such as Salesforce.
ReliaQuest warned organisations not to assume such groups will disappear for good. “As with ransomware gangs, there is no such thing as retirement, only regrouping and rebranding,” the company said.