{"id":4189,"date":"2025-07-31T02:09:04","date_gmt":"2025-07-31T02:09:04","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4189"},"modified":"2025-07-31T02:09:04","modified_gmt":"2025-07-31T02:09:04","slug":"tangled-in-the-web-scattered-spiders-tactics-changing-to-snare-more-victims","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4189","title":{"rendered":"Tangled in the web: Scattered Spider\u2019s tactics changing to snare more victims"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Scattered Spider is using fresh tactics to snare more victims in its web.<\/p>\n

Governments around the globe are warning<\/a> that the hacker group is impersonating employees to trick IT help desks into resetting passwords and transferring multi-factor authentication (MFA) tokens to attacker-controlled devices. This then allows them to carry out damaging extortion and ransomware campaigns.<\/p>\n

\u201cScattered Spider is successful because of their expert use of social engineering,\u201d said Johannes Ullrich<\/a>, dean of research at SANS Technology Institute<\/a>. \u201cDefenses often focus too much on technical attacks and technical solutions, while attackers like Scattered Spider use simple phone calls or SMS messages, and in some cases, simple cash bribes, to get insiders to assist them.\u201d<\/p>\n

Sophisticated spear phishing bypasses defenses<\/h2>\n

Scattered Spider<\/a>, also known as Scatter Swine, Oktapus, and Octo Tempest, has been active since at least May 2022, using various social engineering techniques to access credentials, install remote-access tools, bypass MFA, steal data, and extort organizations.<\/p>\n

The group\u2019s members are notorious for posing as IT and help desk staff to fool employees into giving up their credentials, sharing one-time passwords (OTPs), or running commercial remote access tools to grant network access. They employ a variety of social engineering tactics, including smishing (text phishing), vishing (voice phishing), and spear phishing (targeting a specific employee).<\/p>\n

Now the US Cybersecurity and Infrastructure Security Agency (CISA) and other agencies in Canada, the UK, and Australia say the group is changing up its tactics and using new malware and ransomware techniques \u2014 including \u201cRattyRAT\u201d and DragonForce \u2014 to exfiltrate data.<\/p>\n

The agencies warn that Scattered Spider<\/a> is repurposing legitimate, publicly-available remote access tunneling tools, now including Teleport.sh and AnyDesk, to easily bypass security safeguards. Increasingly, it is searching for an organization\u2019s Snowflake access to \u201c[exfiltrate] large volumes of data in a short time, often running thousands of queries immediately,\u201d according to the advisory.<\/p>\n

The group has been known to exfiltrate data after gaining access to a network, then threatening to release it; recently, this exfiltrated data has been moved to US-based data centers, including Amazon S3, then encrypted. Members then communicate with targeted organizations via TOR, Tox, email, and other encrypted apps.<\/p>\n

It is using domains including\u00a0targetsname-cms[.]com, targetsname-helpdesk[.]com, and oktalogin-targetcompany[.]com. CISA explained that the targeted organization\u2019s name is often appended with either a -helpdesk<\/em> or a type of SSO to add credibility.<\/p>\n

In some instances, Scattered Spider members purchase employee or contractor credentials on illicit marketplaces to gain access. More commonly, they search business-to-business websites to gather information about specific individuals. Once they identify usernames, passwords, personally identifiable information (PII), and conduct SIM swapping (transferring a victim\u2019s phone number to a SIM card they control), they then use \u201clayered\u201d social engineering techniques that occur over several calls.<\/p>\n

These moves are designed to learn the steps needed to conduct password resets, gather the targeted employee\u2019s password reset information, and conduct spear phishing calls to convince help desk personnel to reset passwords and\/or transfer MFA tokens so they can take over accounts.<\/p>\n

Later, to determine whether their activities have been detected, the threat actors often search the organization\u2019s Slack, Microsoft Teams, and Microsoft Exchange Online for discussions of the attack and the subsequent security response. They also create new identities in these environments, backed up by fake social media profiles, and frequently join incident remediation and response calls and teleconferences. This helps them understand how security teams are hunting them.<\/p>\n

Scattered Spider is so pervasive \u201cbecause it uses advanced and aggressive social engineering that gets around most defenses,\u201d said Roger Grimes<\/a>, a data-driven defense evangelist at cybersecurity company KnowBe4<\/a>.<\/p>\n

Avoid getting ensnared in Scattered Spider\u2019s web<\/h2>\n

In response to the group\u2019s new tactics, the joint statement advises enterprises to look for \u201crisky logins\u201d in environments where sign-in attempts have been flagged as suspicious or unusual. Other important cybersecurity practices include:<\/p>\n

Enforce phishing-resistant MFA.<\/p>\n

Implement application controls to manage and control software execution, including allowlisting remote access programs.<\/p>\n

Audit remote access tools to identify currently used and\/or authorized software.<\/p>\n

Review logs for execution of remote access software to detect abnormal use.<\/p>\n

Only permit authorized remote access tools to be used within a network over approved mechanisms such as virtual private networks (VPNs) or virtual desktops.<\/p>\n

Block inbound and outbound connections on common remote access ports and protocols.<\/p>\n

Strictly limit the use of remote desktop protocol (RDP) and other remote desktop services.<\/p>\n

Given that the group\u2019s social engineering techniques can get around most defenses, experts emphasize the importance of building a holistic cybersecurity culture, rather than just relying on tools.<\/p>\n

\u201cCISO\u2019s can\u2019t buy a Blinky box to mitigate Scattered Spider.\u201d said David Shipley<\/a> of Beauceron Security<\/a>. \u201cIt requires building aware and engaged teams to recognize social engineering, positive security cultures, and robust, assertive help desk authentication procedures that are tested at least monthly by red teams.\u201d<\/p>\n

KnowBe4\u2019s Grimes noted that many defense guides, including those from CISA, \u201cbarely mention\u201d how to best defeat social engineering, which is, he said, better security awareness training. \u201cSo, people concentrate on the wrong things and then wonder why Scattered Spider is so successful.\u201d<\/p>\n

He advised: \u201cDon\u2019t use easily phishable MFA \u2014 and that\u2019s most MFA.\u201d His suggestions for phishing-resistant MFA: NIST, FIDO2, 1Kosmos, AuthN by IEEE, Beyond Identity, IDEE, Google Advanced Protection Program, HYPR, and idenprotect.<\/p>\n

SANS\u2019 Ullrich noted that enterprises too often rely on third-party vendors to offer critical security functions such as identity and access control. As a result, it can be difficult to make quick tactical changes to fight current threats. Detailed insight into authorization activity can be limited, slowing or preventing proper detection and mitigation, while modern decomposed networks make detailed monitoring \u201calmost impossible.\u201d<\/p>\n

Internal expertise is optimal, he said; but barring that, enterprises should promote a strong employee reporting system. \u201cSuccessful awareness training often emphasizes reporting features over more old-fashioned anti-phishing training,\u201d said Ullrich.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Scattered Spider is using fresh tactics to snare more victims in its web. Governments around the globe are warning that the hacker group is impersonating employees to trick IT help desks into resetting passwords and transferring multi-factor authentication (MFA) tokens to attacker-controlled devices. This then allows them to carry out damaging extortion and ransomware campaigns. […]<\/p>\n","protected":false},"author":0,"featured_media":4186,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4189","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4189"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4189"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4189\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4186"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}