- The scattered spider evolves, the CISA, the FBI and others have warned
- Pirates use additional malware, including DragonForce
- Companies must use the MFA resistant phishing to defend
The scattered spider only warms up with its cyber attacks, and companies should be on their care for possible attacks, said law enforcement forces.
A warning given by the American Cybersecurity and Infrastructure Safety Agency (CISA), and a handful of other security agencies in Canada, the United Kingdom and Australia, says that the group has evolved to use more advanced social engineering – mainly by usurging employees to help help reset the passwords and transfer MFA tokens to the attackers.
Pirates have also added new malware such as Rattyrat for stealth access and DragonForce ransomware to encrypt systems and request payment – in particular targeting of vmware ESXI servers.
More to come
Also known as Okto Tempest (and a handful of other names), Spander Spider is described as a very aggressive and sophisticated cybercriminal group known to have targeted large companies through social attacks, phishing and identity.
The group is sadly famous for its use of SIM exchange, MFA fatigue attacks and identity theft to obtain initial access, and it is the latter that the CISA is now stressful.
The scattered spider is generally engaged in double expression attacks, exfiltrating files sensitive to third -party servers before encrypting the target infrastructure. To store stolen files, they use Mega.nz and Amazon S3, and in some cases, they have executed thousands of requests against snowflake environments to quickly steal large volumes of data.
To stay hidden, they create false identities supported by social media profiles, watch internal communications such as Slack and Microsoft teams, and even join incidents to find out how the defenders react.
The CISA says that more dispersed spider attacks are to be expected in the coming weeks and months, and urges organizations to use the MFA resistant to phishing (such as Fido / Webauthn), to audit and to restrict remote access tools, to monitor risky connections and to unusual account behaviors, to maintain the offline line, to encrypt backups known segments and vulnerabilities.
Via Cyberness
