Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries

Sept. 11, 2024, 8:30 p.m.

Description

The Scattered Spider cybercriminal group is targeting cloud infrastructures in the insurance and financial sectors using advanced techniques. They exploit leaked authentication tokens, conduct phishing and smishing campaigns, and leverage SIM swapping to bypass multi-factor authentication. The group uses open-source tools for reconnaissance, disables security measures, and maintains persistence through various methods like cross-tenant synchronization abuse. They focus on deploying ransomware in cloud environments, particularly VMware ESXi and Azure. The attackers demonstrate deep knowledge of Western business practices and partner with other ransomware groups like BlackCat/ALPHV to enhance their capabilities.

Date

  • Created: Sept. 11, 2024, 8:18 p.m.
  • Published: Sept. 11, 2024, 8:18 p.m.
  • Modified: Sept. 11, 2024, 8:30 p.m.

Indicators

  • d780134609e2b5c9ec6b75e35c5f6eefcb1527105a584c6fbcff5dee33cebd37
  • bef3e8a4231b236d34556cf681020792d04b19e3e73c7507534ceb5042eec620
  • https://www.silentpush.com/blog/scattered-spider/
  • http://forward-icloud.com/admin/dashboard/login
  • login.five9-hr.com
  • login.uscc-hr.com
  • servicenow-help.com
  • securian-hr.com
  • revolut-ticket.com
  • forward-icloud.com
  • creditkarma-help.com
  • authenticate-bt.com

Attack Patterns

  • Raccoon Stealer
  • Vidar Stealer
  • BlackCat - S1068
  • Noberus
  • ALPHV
  • Stealc
  • RedLine Stealer
  • SCATTERED SPIDER
  • T1562.004
  • T1583.001
  • T1110
  • T1136
  • T1567
  • T1552
  • T1087
  • T1199
  • T1562.001
  • T1070
  • T1518
  • T1543
  • T1219
  • T1498
  • T1195
  • T1566
  • T1562
  • T1190
  • T1133
  • T1090
  • T1078
  • T1003

Additional Informations

  • Insurance
  • Finance