The US Federal Bureau of Investigation (FBI) has revealed that it has observed that infamous cybercriminal groups scattering spiders and widening their targeting footprint to attack the airline sector.
To that end, the agency said it is actively working with aviation and industry partners to combat the activities and support the victims.
“These actors rely on social engineering techniques and ask employees and contractors to grant access by impersonating employees and contractors to deceive them,” the FBI said in a post on X.
Scattered spider attacks are also known to target third-party IT providers, gain access to large organizations, and put trusted vendors and contractors at risk of potential attacks. Attacks usually pave the way for data theft, forced, and ransomware.
In a statement shared on LinkedIn, Sam Rubin of Palo Alto Networks Unit 42 confirmed threat actor attacks against the aviation industry, urging organizations to be “high alerts” due to sophisticated social engineering attempts and suspicious multi-factor authentication (MFA) reset requests.
Google-owned Mandiant recently warned about targeting Spider’s US insurance division, but said it was aware of multiple incidents in the airline and transport industry that resemble surgeries in a model of hacking crews.
“Before adding a new phone number to your employee/contractor account, the industry is advised to take steps to close the help desk’s ID verification process immediately (which can be used by threat actors to perform a self-service password reset), reset your password, add a device to your MFA solution or provide employee information (employee ID).
One of the reasons scattered spiders continue to succeed is their understanding of human workflow. Even with technical defenses like MFA in place, the group is focusing on the people behind the system. Just like everyone else, help desk staff can be caught off guard by a compelling story.
This is not about brute force hacking. It’s about building trust long enough to sneak in. And when times are short or pressure is high, it’s easy to see how fake employee demands can slip through. So organizations need to go beyond traditional endpoint security and rethink how identity verification occurs in real time.
The activity tracked as scattered spiders overlaps with threat clusters such as the confused Libra, Octo Tempest, Oktapus, Splicition Swine, Star Fraud, and UNC3944. The group, originally known for its SIM exchange attacks, counts insider access within the roster of early access technologies that permeate social engineering, helpdesk phishing, and hybrid environments.
“The scattered spiders combine deep social engineering, layered technical refinement, and rapid double extensions to represent a major evolution of ransomware risk,” Halcyon said. “In a few hours, groups can violate, establish permanent access, harvest sensitive data, disable recovery mechanisms, and explode ransomware in both inventory and cloud environments.”
What makes this group particularly dangerous is the combination of patient planning and sudden escalation. Scattered spiders not only rely on stolen credentials, but they also spend time gathering Intel on their targets, often combining social media research with public data to impersonate people with horrifying accuracy. Blend this kind of hybrid threat, business email compromise (BEC) technique with cloud infrastructure sabotages, and you can fly under the radar until it’s too late.
Scattered spiders are part of an amorphous population called com (also known as comm), and count other groups like Lapsus $. It has been rated active since at least 2021.
“The group evolved with discord and telegram communication platforms, attracting members of diverse backgrounds and interest,” Unit 42 said. “The loose knees and fluid nature of this group make it inherently difficult to disrupt.”
In a report published Friday, ReliaQuest detailed the scattered Spider Actors violated an unnamed organization late last month by targeting the Chief Financial Officer (CFO), abusing increased access to carry out a highly accurate and calculated attack.
Threat actors have been found to perform extensive reconnaissance on particularly valuable individuals, particularly to impersonate CFOs on calls to the company’s IT help desk and to convince them to reset MFA devices and credentials tied to their accounts.
The attacker also used the information obtained during reconnaissance to enter the CFO’s date of birth and the last four digits (SSN) of the Social Security number as part of the login flow into the company’s public login portal, ultimately verifying the employee’s ID and verifying the information they collected.
“Scattered spiders support C-Suite explaining for two main reasons. They are often over-major, and help desk requests related to these accounts are usually treated with urgency, increasing the likelihood of successful social engineering. “Access to these accounts allows scattered spiders to provide a route to critical systems and make reconnaissance the basis of coordinated attack plans.”
The scattered spider actor armed with access to CFO accounts demonstrated his ability to perform a series of actions in a target environment, adapting and escalating attacks quickly –
Perform Entra ID enumerations on service principals for privileged accounts, privilege groups, and privilege escalation and persistence to find sensitive files and collaborative resources, to gain deeper insight into organization’s workflows and IT and cloud architecture, to coordinate attacks on the horison destructure (virison destructure), to violate two additional accounts via social engineering, extract sensitive information, establish a foothold in the organization’s VPN infrastructure compromised by a virtual environment, protect uninterrupted remote access to internal resources, recover previously decommissioned virtual machines (VMs), create new ones to access VMware Venter Infrastructure, and close Virtized Domain Domain Control. Use advanced access to database files to further advance intrusions using privileged accounts, such as cracking open cyber arc password vault, obtaining over 1,400 secrets, and assigning administrator roles to compromised user accounts. Azure Firewall Policy Rule Collection Group, obstructing normal business operations
ReliaQuest also described what is the fundamental tug of war between incident response teams and threat actors to manage the global administrator role within Entra ID tenants.
The whole picture here is that social engineering attacks have no longer evolved into a full-fledged identity threat campaign, rather than a phishing email. Attackers follow a detailed playbook to bypass every layer of defense. From swapping sims to wisings and privilege escalations, scattered spiders show how fast an attacker can move when the path is clear.
For most businesses, the first step is not to buy new tools, but rather close internal processes, especially help desk approvals and account recovery. The more people rely on them to make their identity decisions, the more important it becomes to train them with real-world examples.
“The initial access methods of scattered spiders reveal significant weaknesses in many organizations. They rely on human-centered workflows for identity verification,” said security researchers Alexa Feminella and James Sian.
“By weaponizing trust, the group has demonstrated how powerful technical defenses can be circumvented and attackers can manipulate established processes to achieve their goals. This vulnerability underscores the need for businesses to reevaluate and strengthen identity verification protocols, reducing the risk of human error as a gateway for adopters.”
Source link
