Threat actors known as Scattered Spider are reportedly turning their attention to the financial sector, hitting banks and insurance groups. Resilience Cyber Insurance Solutions, which has been tracking the group, reports they have targeted 29 companies since April 20.
Scattered Spider is the group that was previously linked to disrupting casinos and hotels such as MGM Resorts International. At times, they appeared to be affiliated with AlphV (aka BlackCat) or using AlphV’s leak site to post information about attacks and threats to their victims.
Bloomberg reports that recent attacks by the group included Visa Inc., PNC Financial Services Group Inc., Transamerica, New York Life Insurance Co. and Synchrony Financial. A senior threat researcher at Resiliencem told Bloomberg that it wasn’t clear if any of those attacks were successful.
A CISA alert in December 2023 noted that the threat actors were considered experts in social engineering and used multiple techniques:
especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA). According to public reporting, Scattered Spider threat actors have [2],[3],[4]:
- Posed as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network [T1598],[T1656].
- Posed as company IT and/or helpdesk staff to direct employees to run commercial remote access tools enabling initial access [T1204],[T1219],[T1566].
- Posed as IT staff to convince employees to share their one-time password (OTP), an MFA authentication code.
- Sent repeated MFA notification prompts leading to employees pressing the “Accept” button (also known as MFA fatigue) [T1621].[5]
- Convinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card they controlled, gaining control over the phone and access to MFA prompts.
- Monetized access to victim networks in numerous ways including extortion enabled by ransomware and data theft [T1657].
The Record has additional coverage from an interview with Brett Leatherman of the FBI’s cyber division at the RSA Conference.
