Understanding Scattered Spider Cyber Attacks

Scattered Spider just rewrote my ransomware playbook. They didn’t just break in. They didn’t just move laterally. They fought back. Incident response started closing doors and Scattered Spider pried them back open, countered security moves in real-time, and actively sabotaged the organization’s operations on their way out. This isn’t the future of ransomware. It’s here. A few painful lessons: - Social engineering is faster than brute force. Scattered Spider impersonated a CFO and convinced the help desk to reset MFA.. and it worked! - Over-privileged executive accounts remain soft targets. They offer maximum access and minimum resistance. - Cloud misconfigurations and virtual machines are blind spots. The attackers moved through virtual desktops, spun up new machines, and operated without endpoint detection visibility. - Persistence matters. Even after discovery, the attackers leveraged administrator-level control to claw back access and delay eviction. - Real-world tug-of-war is now part of the threat landscape. They weren’t afraid to burn the environment down. Here is how we (Incident Response) can start to prepare: - Strengthen identity verification, especially for help desk resets. Voice-based verification is not enough. - Audit executive accounts for unnecessary privileges. Just because it’s the CFO doesn’t mean they need domain-wide access. - Segment and actively monitor your virtual environments. Treat VDI and VMware ESXi like critical infrastructure. - Plan for post-discovery adversaries. Assume they’ll fight to stay. Build recovery and containment playbooks for hostile evictions. Scattered Spider showed us what the next generation of attackers looks like. They don’t just steal data. They disrupt. They linger. And they’re watching how you respond. You get what you rehearse, not what you intend, start rehearsing now.

Scattered Spider doesn’t innovate. They repeat. 🕷️ Their tactics don’t change. But the damage keeps piling up: 🎰 Caesars paid $15 M to get systems back. 🎲 MGM refused to pay, but lost $100 M+ in downtime. 🛍️ M&S faced a £10 M demand (outcome unknown). 🛫 Qantas & US airlines now on the FBI’s radar. 🏦 Aflac, Erie & Philadelphia Insurance breached via pure social engineering. Scattered Spider often hits first by compromising MSPs or other third-party providers to multiply entry points. In every case, there’s a common thread: data-rich organizations with complex operations and deep reliance on third-party services. Casinos, airlines, insurers, retailers — all outsource critical functions like customer service, infrastructure, and even their help desks. In many cases, they don’t fully know how much access those vendors have to sensitive data. And that’s exactly where Scattered Spider strikes. They use the same TTPs every time: SIM swapping. MFA fatigue. Help desk phishing. Then they move laterally, blend in, and lock you down. Hack The Box just released training built off Scattered Spider’s real attacks. Blue teams test detection, red teams run the exact path, and CISOs prove the team’s ready for real threats. Defending against this isn’t only about training your cybersecurity team, it means upskilling every employee with awareness, especially in IT and support roles. One socially-engineered help desk call is all it takes. Because Scattered Spider isn’t targeting your firewall. They’re targeting your people.

Scattered Spider just evolved their playbook, and it’s getting scarier. See ⬇️ . . . . Microsoft’s latest research on Octo Tempest (aka Scattered Spider) reveals a disturbing shift in their attack methodology: https://lnkd.in/eXnyABNR ; These financially motivated threat actors are no longer just cloud-first attackers but are mastering hybrid environments with devastating precision. What’s changed? Instead of their usual cloud-to-on-premises pivot, they’re flipping the script: compromising on-premises infrastructure first, then escalating to cloud resources. This hybrid approach makes detection exponentially harder. Their new arsenal includes: - Advanced social engineering targeting helpdesks with impersonation tactics - SMS-based phishing using adversary-in-the-middle domains - DragonForce ransomware specifically targets VMware ESX hypervisors Recommendations: - Test your org’s hybrid defenses. Are your MFA implementations bulletproof against sophisticated social engineering? - Do password reset protocols require thorough verification beyond easily OSINTable information like birthdays or addresses? Consider decoupling verification and authentication requests entirely from your helpdesk and routing them to a dedicated security team for thorough vetting. Implement hardened PIM/PAM with just-in-time protocols, segment Authentication Administrator roles across specific administrative units, and place high-risk users in separate administrative units with even more stringent verification requirements. This friction can differ between a quick win for attackers and a failed intrusion attempt. Beyond #OSCP — #OffensiveSecurity #InitialAccess #RedTeam Hacker Hermanos

All of the high-profile recent attacks in Las Vegas and elsewhere around the country from Scattered Spider / UNC3944 call for a fast threat intel report. Please share with your team! Unpacking Scattered Spider's / UNC3944's Tactics, Techniques & Procedures (TTPs): ☢️ Overview: 🔸 Scattered Spider/UNC3944 is a financial-threat group with consistent phone-based social engineering (vishing) & SMS phishing (smishing). 🔸 They've recently broadened their targets: from telecoms and BPOs to hospitality, retail, media, financial services, and more. ☢️ Notable TTPs: 🔸 Heavy reliance on social engineering: SMS phishing and calls to help desks for password resets or MFA bypass. 🔸 Use of commercial residential proxy services to appear local. 🔸 Legitimate software and remote access tools are often downloaded directly from vendor sites. 🔸 Extremely high operational tempo, overwhelming security response teams. 🔸 In-depth internal reconnaissance: Seeking internal documents, chat logs, etc., to maintain and escalate their presence. 🔸 Privilege escalation: Targeting password managers and privileged access systems. 🔸 Virtual machine (VM) creation: Often creating unmanaged VMs inside victims' environments. 🔸 Targeted ransomware deployment: Focusing on business-critical systems for maximum impact. 🔸 Aggressive communication: Threatening notes, texts to executives, and infiltrating victim's communication channels. ☢️ Scattered Spider/UNC3944 Attack Lifecycle Highlights: 🔸 Smishing: Primary initial access via smishing attacks on employees. 🔸 Phishing Kits: Mandiant identified 3 phishing kits used by UNC3944. 🔸 Credential Thefts: Use of various credential theft tools. 🔸 Cloud Resources Targeting: Specifically focusing on victims’ cloud resources for data theft and lateral movement. ☢️ Outlook: Scattered Spider's/UNC3944's adaptive and diverse approach shows they’re here to stay and evolve. From SMS phishing to sophisticated ransomware and extortion campaigns, their trajectory indicates a continuous threat evolution. Stay vigilant and keep updating your threat intelligence and hardening your defenses to account for such emerging groups! #Cybersecurity #ScatteredSpider #UNC3944

What’s old is new again with #ScatteredSpider. Halcyon is observing a resurgence in the group’s use of compromised third-party providers—especially BPOs—to launch follow-on attacks across entire sectors. This tactic first emerged in 2023, when Scattered Spider infiltrated major casinos by exploiting third-party access. Now, similar compromises are being used to hit retail, insurance, and other industries. 🔎 Our latest blog post explores how insider recruitment or access misuse at outsourcing providers is reigniting this threat, and how these compromises are often the first move in a broader attack chain. How can you defend your organization? 💪Use phishing-resistant MFA (number matching, hardware tokens) across both internal and third-party accounts. 🙅♀️Eliminate voice/text MFA and disable legacy authentication protocols to block credential replay. 📋Audit BPO and MSP access—focus on privileged access, endpoint monitoring, and insider risk indicators. 🥸Watch for spoofed domains and fake login flows, especially ones mimicking helpdesk or HR systems. Read the full blog post here: https://lnkd.in/echsvvxE #ThirdPartyRisk #CyberThreats #ZeroTrust #InsiderThreat #MFA #CyberIntelligence #Ransomware

🛡️ Defending VMware Infrastructure Against Scattered Spider (UNC3944) and Other Advanced Adversaries Over the past several years, Mandiant (part of Google Cloud) has observed several adversaries compromise VMware infrastructure to do the following: 1️⃣ Steal sensitive data from guest virtual machines 2️⃣ Materially disrupt business operations 3️⃣ Hide backdoors due to the lack of EDR coverage 4️⃣ Deploy new virtual machines without standard enterprise security telemetry, so they can run attacks from inside the network with less security detections In recent months, Scattered Spider has caused significant disruption to organizations in the retail, insurance, and airline sectors. Once inside victim environments, they quickly focus their effort on VMware infrastructure because it’s often less defended than other parts of enterprise environments. Mandiant just published a blog that outlines the methodology Scattered Spider has used over and over to gain access to victim environments and compromise VMware infrastructure. We provide detailed recommendations for each step of their methodology. This will help organizations improve their VMware visibility and defenses. This is an important read. I highly encourage organizations take the time to review this guidance and launch a project to implement the recommendations. Thanks to the collaboration and input from VMware and Microsoft on the research and hardening guidance. #ScatteredSpider #UNC3944 #VMware #vSphere #DFIR

'The group behind the high-profile MGM cyberattack in September has resurfaced in yet another sophisticated ransomware attack, in which the actor pivoted from a third-party service environment to the target organization's on-premise network in only an hour... ...Specifically, attackers used a socially-engineered MFA fatigue attack —in which they used the valid account credentials to attempt four MFA challenges within two minutes. The last resulted in successful authentication, with a "new device sign-in" being observed from Florida IP address 99.25.84[.]9 that was used to reset a legitimate Okta user's credentials to access the environment of a cloud service provider... ...Scattered Spider ultimately used a combination of TTPs — including social engineering of help-desk employees, identity as-a-service (IDaaS) cross-tenant impersonation, file enumeration and discovery, abuse of specific enterprise applications, and use of persistence tools — to achieve widespread encryption and exfiltration of data from the targeted network.' https://lnkd.in/gbh8RFaV

Your MFA isn’t broken. Your help desk is. Here’s how attackers are stealing admin access with one phone call: Most companies think multi-factor authentication keeps them safe. But groups like Scattered Spider don’t need to crack passwords. They bypass security by targeting your weakest link—humans. Last month, they phoned an IT help desk posing as a CFO. They had the executive’s birthday, last four digits of SSN, and employee ID. The help desk believed them. They reset the MFA and handed over full access. Within hours, the attackers: - Logged into the virtual desktop environment - Shared privileged access with new accounts - Stole over 1,400 passwords from CyberArk - Took down a production domain controller - Deleted Azure security rules to block incident response Social engineering beat every technical barrier. Why? Because the verification process was built for speed, not security. If one urgent-sounding request breaks your setup, you have no real defense. Here’s one way to stop it: Start treating identity like infrastructure. Create strict help desk protocols for adding devices, resetting MFA, or handing out employee info. Train staff to verify identity with multiple layers—employee photos, voice verification, known locations. Test it regularly. If it feels like overkill, remember: all it takes is one convincing call. Don’t let your own team become the entry point.

🚨 If your MFA can be bypassed with a convincing voice and a bit of urgency, Scattered Spider—armed with AI—might already be halfway in. This isn't a hypothetical. Scattered Spider—one of the most agile and deceptive threat actors today—has expanded aggressively across the U.S., now targeting enterprises in the retail, telecom, finance, and tech sectors. Armed with AI, it doesn’t knock—it walks right in, blending social engineering, identity compromise, and internal process abuse with AI-enhanced deception. Here’s what makes them dangerous: 👉 Impersonating employees to trick help desks and bypass MFA 👉 Using legitimate tools like PowerShell, RDP & AnyDesk to stay hidden 👉 Automating reconnaissance and phishing with generative AI 👉 Deploying AI voice clones for real-time vishing attacks 👉 Targeting sectors where operational disruption causes maximum damage Our latest threat research breaks down: ✅ How Scattered Spider’s tactics are evolving ✅ How AI is scaling its operations faster than ever ✅ How SAFE models your organization’s real-time exposure and control gaps, mapped directly to this threat actor’s behavior 🔗 Read the full blog → https://lnkd.in/dQ4pgSNM 🤔 Ask your team → Are we SAFE enough? Saket Modi Rahul T. Saket Bajoria Pankaj Goyal Nidhi Warde

UNC3944, also known as Scattered Spider, is a sophisticated cyber threat group that has pivoted its tactics to target SaaS (Software as a Service) applications. This adversary employs advanced social engineering techniques and leverages virtual machines (VMs) for persistence in its attacks. Sophisticated Social Engineering Tactics Scattered Spider excels in social engineering, using carefully crafted phishing emails and other deceptive methods to trick victims into revealing login credentials or installing malware. Their tactics often involve impersonating trusted entities or exploiting current events to increase the perceived legitimacy of their lures.[1] Leveraging VMs for Persistence Once initial access is gained, the group deploys virtual machines within the compromised environment to maintain a persistent foothold. These VMs act as staging points for further lateral movement and data exfiltration activities, making it challenging to detect and remove the adversary from the network.[1] Targeting SaaS Applications Scattered Spider has recently shifted its focus to target SaaS applications, which are widely used by organizations for various business functions. By compromising SaaS accounts, the group can gain access to sensitive data, disrupt operations, or use the compromised accounts as entry points into the victim's network.[1] This shift highlights the growing importance of securing SaaS applications and implementing robust access controls, multi-factor authentication, and continuous monitoring to detect and respond to potential threats. Organizations must remain vigilant and prioritize security awareness training to educate employees on recognizing and mitigating social engineering attacks, as these tactics are a key component of Scattered Spider's operations.[1] Citations: [1] https://lnkd.in/g6TcWitU [2] https://lnkd.in/g8qiVdhw [3] https://lnkd.in/gTSeWs5Y [4] https://lnkd.in/gMKs2mZV [5] https://lnkd.in/gzkxa9iN [6] https://lnkd.in/gDty7uVm