Cybersecurity researchers tied a fresh round of cyber attacks on financial services to the notorious cybercrime group Scattered Spider, raising doubts about their claims of going “dark.”
Moreover, threat intelligence firm ReliaQuest observed clear indications that the threat actor shifted their focus to the financial sector. The evidence includes a rise in lookalike domains potentially linked to the group and tailored to the industry, along with a recently identified targeted intrusion against an unnamed U.S. banking organization.
“Scattered Spider gained initial access by socially engineering an executive’s account and resetting their password via Azure Active Directory Self-Service Password Management,” the company said.
From that point, they accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network.
To escalate privileges, the attackers reset a Veeam service account password, assigned Azure Global Administrator permissions, and relocated virtual machines to avoid detection. In addition, signs reveal that Scattered Spider attempted to exfiltrate data from Snowflake, Amazon Web Services (AWS), and other repositories.
Exit or Smokescreen?
The recent activity directly contradicts the group’s claims of ceasing operations alongside 14 other criminal groups, including LAPSUS$. Scattered Spider represents the moniker for a loose-knit hacking collective operating as part of a broader online entity known as The Com.
In addition, the group overlaps significantly with other cybercrime crews such as ShinyHunters and LAPSUS$. The overlap is so extensive that the three clusters eventually formed a larger entity referred to as “scattered LAPSUS$ hunters.”
One cluster in particular, ShinyHunters, also engaged in extortion schemes after exfiltrating sensitive data from victims’ Salesforce instances. In those cases, the activity unfolded months after another financially motivated hacking group, tracked by Google-owned Mandiant as UNC6040, had already compromised the targets.
This incident reminds organizations not to fall into a false sense of security, ReliaQuest emphasized, urging them to remain vigilant. Much like ransomware groups, cybercrime collectives rarely retire for good; instead, they often regroup or rebrand under a different alias to continue their activities.
“The recent claim that Scattered Spider is retiring should be taken with a significant degree of skepticism,” Karl Sigler, security research manager of SpiderLabs Threat Intelligence at Trustwave, said. “Rather than a true disbanding, this announcement likely signals a strategic move to distance the group from increasing law enforcement pressure.”
Sigler further explained that the farewell letter likely represents a strategic retreat. This Maneuver gives the group time to Reassess its practices, refine its Tradecraft, and evade ongoing Disruption attempts, while also Complicating Attribution by making future incidents harder to link to the same actors.
“It’s plausible that something within the group’s operational infrastructure has been compromised. Whether through a breached system, an exposed communication channel, or the arrest of lower-tier affiliates, something has likely triggered the group to go dark, at least temporarily. Historically, when cybercriminal groups face heightened scrutiny or suffer internal disruption, they often ‘retire’ in name only, opting instead to pause, regroup, and eventually re-emerge under a new identity.”
Source: TheHackerNews
Read more at Impreza News
