"Spiders don't change their stripes. Despite gang members' recent retirement claims, Scattered Spider hasn't exited the cybercrime business and instead has shifted focus to the financial sector, with a recent digital intrusion at a US bank. In an update to an earlier threat intelligence report about ShinyHunters' string of Salesforce-related heists, along with that crime crew's collab with Scattered Spider, ReliaQuest researchers said that their recently uncovered evidence suggests that Scattered Spider didn't " go dark" after all."
"The criminals gained initial access in their usual manner - social engineering an executive's account and resetting the password via Microsoft Entra ID (formerly Azure Active Directory) self-service password reset. Then they used this access to snoop through sensitive IT and security documents and move laterally through the bank's Citrix environment and VPN. As they have done in other intrusions, Scattered Spider also compromised VMware ESXi infrastructure to dump employee credentials and further infiltrate the financial org's network."
Scattered Spider remains active and has redirected operations toward the financial sector, evidenced by a targeted intrusion at a US banking organization. The group gained initial access via social engineering and abused Microsoft Entra ID self-service password reset on an executive account. Attackers accessed sensitive IT and security documents, moved laterally through Citrix and VPN environments, and compromised VMware ESXi infrastructure to dump employee credentials. The adversary escalated privileges by resetting a Veeam service account password, assigning Azure Global Administrator rights, and relocating virtual machines to evade detection. Evidence indicates attempted data exfiltration from Snowflake, AWS, and other repositories.
#scattered-spider #financial-sector-targeting #social-engineering-sspr-abuse #vmware-esxi-compromise #data-exfiltration
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]