Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries
Sept. 11, 2024, 8:30 p.m.
Tags
External References
Description
The Scattered Spider cybercriminal group is targeting cloud infrastructures in the insurance and financial sectors using advanced techniques. They exploit leaked authentication tokens, conduct phishing and smishing campaigns, and leverage SIM swapping to bypass multi-factor authentication. The group uses open-source tools for reconnaissance, disables security measures, and maintains persistence through various methods like cross-tenant synchronization abuse. They focus on deploying ransomware in cloud environments, particularly VMware ESXi and Azure. The attackers demonstrate deep knowledge of Western business practices and partner with other ransomware groups like BlackCat/ALPHV to enhance their capabilities.
Date
Published: Sept. 11, 2024, 8:18 p.m.
Created: Sept. 11, 2024, 8:18 p.m.
Modified: Sept. 11, 2024, 8:30 p.m.
Indicators
d780134609e2b5c9ec6b75e35c5f6eefcb1527105a584c6fbcff5dee33cebd37
bef3e8a4231b236d34556cf681020792d04b19e3e73c7507534ceb5042eec620
https://www.silentpush.com/blog/scattered-spider/
http://forward-icloud.com/admin/dashboard/login
login.five9-hr.com
login.uscc-hr.com
servicenow-help.com
securian-hr.com
revolut-ticket.com
forward-icloud.com
creditkarma-help.com
authenticate-bt.com
Attack Patterns
Raccoon Stealer
Vidar Stealer
BlackCat - S1068
Noberus
ALPHV
Stealc
RedLine Stealer
SCATTERED SPIDER
T1562.004
T1583.001
T1110
T1136
T1567
T1552
T1087
T1199
T1562.001
T1070
T1518
T1543
T1219
T1498
T1195
T1566
T1562
T1190
T1133
T1090
T1078
T1003
Additional Informations
Insurance
Finance