- Spread spider gangs have resumed attacks and targeted at an American bank despite claiming to get dark
- Hackers used Viseing and Octa-theme phishing to bypass MFA and Exfiltrate Sensitive Data
- Group linked to major violations, including Salesforce leakage affecting over 700 companies
It seems that retirement does not fit scattered spider as the notorious threat actor has been observed targeted banking organizations in the United States, despite claims that it was “getting dark”.
Security researchers reliable have published a new report that claimed to have seen evidence of new activity from the hackers.
Among the evidence are several Lookalike domains linked to fintech vertical, as well as a victim – an American banking organization.
Social Engineering
To violate the target organization, scattered spider apparently went to Viseing (voice phishing). The group will call the employees on the phone, mimic IT staff and convince them to approve access to malicious “connected apps”.
These apps, apparently benign (forgery of Salesforce or the like), enabled miscreats to exfilter sensitive business data. To steal the login credentials, attackers used the Octa-Thema Phishing Pages where they successfully bypass security checks, such as multifactor approval.
“Scattered Spider gained initial access by Social Technology a director’s account and resets their password via Azure Active Directory Self-Service Password Management,” the report said.
“From there they gained access to sensitive it and security documents, moved laterally through the Citrix environment and VPN and compromised VMware ESXI infrastructure to dump credentials and further infiltrate the network.”
Scattered spider is one of the three groups allegedly behind the violations of the Jaguar Land Rover (JLR), Marks & Spencer, Co-Op, Harrods and many others.
Recently, the group announced that it was “getting dark” – and some scientists believe the hackers fear an answer from law enforcement, while others think this could be an easy way to divert or turn.
However, it could be both. Spread spider is also linked to the large Salesforce / Sales operation -data coverage, which appears to have affected more than 700 companies. If these claims turn out to be authentic, this would be one of the biggest violations of the latest history and as such would definitely draw the FBI’s attention and possibly even NSA.
Via Hacker the news
