Ethical Hacking News
The rise of Scattered Spider marks a significant shift in the sophistication of cyber threats targeting organizations. By leveraging social engineering tactics and exploiting vulnerabilities in human-centric workflows, this group has demonstrated its ability to bypass technical defenses. As such, it is imperative that businesses prioritize strengthening their ID verification protocols and training employees to recognize and resist these types of attacks.
Scattered Spider, a cybercrime group, has expanded its targeting footprint to include the airline sector. The group uses social engineering techniques to bypass multi-factor authentication (MFA) and target third-party IT providers to gain access to large organizations. Industry partners, including the FBI, are working together to combat Scattered Spider's attacks on airlines and help victims. The group's success can be attributed to its ability to understand human workflows and exploit vulnerabilities in established processes. Businesses need to strengthen ID verification protocols and train employees with real-world examples to prevent social engineering attacks.
Scattered Spider, a notorious cybercrime group known for its SIM swapping attacks and social engineering tactics, has expanded its targeting footprint to include the airline sector. The U.S. Federal Bureau of Investigation (FBI) has revealed that it is actively working with aviation and industry partners to combat the activity and help victims.
According to Palo Alto Networks Unit 42's Sam Rubin, these actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access. These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts.
The group's attacks are also known to target third-party IT providers to obtain access to large organizations, putting trusted vendors and contractors at risk of potential attacks. The attacks typically pave the way for data theft, extortion, and ransomware.
Google-owned Mandiant has confirmed that Scattered Spider is actively targeting multiple incidents in the airline and transportation verticals that resemble the modus operandi of the hacking crew. Mandiant's Charles Carmakal stated, "We recommend that the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts (which can be used by the threat actor to perform self-service password resets), reset passwords, add devices to MFA solutions, or provide employee information (e.g. employee IDs) that could be used for a subsequent social engineering attacks."
The FBI and industry partners are taking proactive measures to combat Scattered Spider's attacks on airlines. However, researchers warn that the group's success can be attributed to its ability to understand human workflows. Even when technical defenses like MFA are in place, Scattered Spider focuses on the people behind the systems—knowing that help desk staff, like anyone else, can be caught off guard by a convincing story.
The group's tactics involve building trust just long enough to sneak in, exploiting vulnerabilities in established processes to achieve their goals. This highlights the urgent need for businesses to reevaluate and strengthen ID verification protocols, reducing the risk of human error as a gateway for adversaries.
According to ReliaQuest, Scattered Spider actors breached an unnamed organization late last month by targeting its chief financial officer (CFO), and abused their elevated access to conduct an extremely precise and calculated attack. The attackers carried out extensive reconnaissance to single out high-value individuals, especially impersonating the CFO in a call to the company's IT help desk and persuading them to reset the MFA device and credentials tied to their account.
The threat actors also leveraged the information obtained during reconnaissance to enter the CFO's date of birth and the last four digits of their Social Security Number (SSN) into the company's public login portal as part of their login flow, ultimately confirming their employee ID and validating the gathered information.
Scattered Spider favors C-Suite accounts for two key reasons: They're often over-privileged, and IT help-desk requests tied to these accounts are typically treated with urgency, increasing the likelihood of successful social engineering.
The group's ability to adapt and rapidly escalate its attack has been demonstrated in recent incidents. Scattered Spider actors conducted Entra ID enumeration on privileged accounts, privileged groups, and service principals for privilege escalation and persistence. They also performed SharePoint discovery to locate sensitive files and collaborative resources, and gained deeper insights about the organization's workflows and IT and cloud architectures.
Furthermore, they infiltrated the Horizon Virtual Desktop Infrastructure (VDI) platform using the CFO's stolen credentials and compromising two additional accounts via social engineering, extract sensitive information, and establish a foothold in the virtual environment.
The group breached the organization's VPN infrastructure to secure uninterrupted remote access to internal resources and reinstated previously decommissioned virtual machines (VMs) and created new ones to access the VMware vCenter infrastructure.
Scattered Spider used their elevated access to crack open CyberArk password vault and obtain more than 1,400 secrets. They also advanced the intrusion further using the privileged accounts, including assigning administrator roles to compromised user accounts.
In some cases, they resorted to a "scorched-earth" strategy after their presence was detected by the organization's security team, prioritizing "speed over stealth" to deliberately delete Azure Firewall policy rule collection groups, hampering regular business operations.
The bigger picture here is that social engineering attacks are no longer just phishing emails—they've evolved into full-blown identity threat campaigns, where attackers follow detailed playbooks to bypass every layer of defense.
Most companies, the first step isn't buying new tools—it's tightening internal processes, especially for things like help desk approvals and account recovery. The more you rely on people for identity decisions, the more important it becomes to train them with real-world examples.
"Scattered Spider's initial access methods expose a critical weakness in many organizations: Reliance on human-centric workflows for identity verification," security researchers Alexa Feminella and James Xiang said.
"By weaponizing trust, the group bypassed strong technical defenses and demonstrated how easily attackers can manipulate established processes to achieve their goals. This vulnerability highlights the urgent need for businesses to reevaluate and strengthen ID verification protocols, reducing the risk of human error as a gateway for adversaries."
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Scattered-Spider-A-New-Breed-of-Sophisticated-Cyber-Threat-Actors-ehn.shtml
https://thehackernews.com/2025/06/fbi-warns-of-scattered-spiders.html
Published: Sat Jun 28 07:14:16 2025 by llama3.2 3B Q4_K_M
