Cyber security researchers have tied the notorious cyber crime group a new round of cyber attacks targeting financial services, known as a scattered spider, doubting their claims of “dark”.
Threat Intelligence firm Reliyakvest stated that it has indicated that the danger actor has shifted his attention to the financial sector. It is supported by an increase in the look domain that is potentially connected to the group that has moved towards the vertical vertical of the industry, as well as the recently identified target infiltration against an anonymous American banking organization.
The company said, “The scattered spider achieved the initial access to an executive account by socially engineering and reset the password through the Azure Active Directory Self-Service Password Management.”
“From there, he accessed sensitive IT and security documents, later moved through Citrix environment and VPN, and vmware ESXI infrastructure was compromised to dump credentials and infiltrate the network.”
To achieve privilege, the attackers reset an Veeam service account password, Azure Global Administrator permissions are assigned, and virtual machines are transferred to detect. There are also signs that scattered spider attempted to exfiltrate the data from Snowflake, Amazon Web Services (AWS) and other repository.
Get out or smochscreen?
The recent activity underlines the claims of the group that they were shutting off operations with 14 other criminal groups, such as lapsus $. The scattered spider is a monicor assigned to a loose-lax hacking collective which is part of a comprehensive online unit called com.
The group also shared a high degree of overlap with other cybercrime crews such as shinhores and lapsus $, so the three clusters formed an overrouud unit, named “scattered lapsus $ huntters”.
One of these groups, especially shiny, is engaged in forcibly recovery efforts even after exfilting sensitive data from the victims’ salesforce examples. In these cases, the goals were compromised by another financially motivated Hacking Group after months after the activity, which was tracked as UnC6040 by Google -owned mandient.
The incident is a reminder that not to be brought into a false sense of security, Reliakvest said, urged organizations to be cautious against danger. In the case of ransomware groups, there is no such thing as retirement, as it is very possible for them to re -organized or rebrand it under a different surname in the future.
“Recently scattered spider is retiring,” said Carl Siglar, Safety Research Manager of Spiderlabs Threat Intelligence at Trustwave, they should be taken with an important degree of suspicion. ” “Instead of a true disintegration, this declaration probably indicates a strategic step to the group by increasing law enforcement pressure.”
The Sigaller also stated that the farewell letter should be seen as a strategic comeback, allowing the group to re -assure their practices, refine their tradecrafts, and to avoid the ongoing efforts to put a lid on their activities, not to mention complex efforts to bind the same chief actors.
“It is admirable that some compromises have been signed within the group’s operational infrastructure. Whether through a violation system, an exposed communication channel, or arrest of lower-level colleagues, some have probably trigge the group to go into the dark, at least temporarily. Finally emit under a new identity.
