Cybersecurity researchers have questioned the claims of “darkness” by tying new cyberattacks targeting financial services to the infamous cybercriminal group known as scattered spiders.
Threat Intelligence Firm ReliaQuest said there have been indications that threat actors have shifted their focus to the financial sector. This is supported by an increase in appearance-like domains that are potentially linked to vertically corresponding groups in the industry, and an increase in target invasions against recently identified unnamed US banking organizations.
“The scattered spiders gained initial access by social engineering social executive accounts and resetting their passwords via Azure Active Directory self-service password management,” the company said.
“From there, they accessed sensitive IT and security documents, moved Citrix environments and VPNs sideways, compromised the VMware ESXI infrastructure, dumped credentials, and allowed them to further penetrate the network.”
To achieve privilege escalation, the attacker reset the password for the Veeam Service account, assigned Azure Global Administrator Permissions, and relocated the virtual machine to avoid detection. There are also indications that scattered spiders have attempted to remove data from snowflakes, Amazon Web Services (AWS), and other repositories.
Exit or smoke screen?
Recent activity has undermined the group’s claims that it has halted operations alongside 14 other criminal groups, including Lapsus $. Scattered spiders are monikers assigned to loose knee hacking groups, part of a wider online entity called COM.
The group also shares high overlap with other cybercrime crews like Shinyhunters and Lapsus$, which means that the three clusters formed an inclusive entity named “scattered Lapsus$Hunters.”
One of these clusters, especially Shinyhunters, is also involved in the efforts of Fear Tor after removing sensitive data from the victim’s Salesforce instance. In these cases, the activity took place several months after the target was compromised by another financially motivated hacking group that Google owned Mandiant tracks as UNC6040.
The incident reminds us that we are not depressed by false sense of security, ReliaQuest added, urging the organization to remain vigilant about threats. As with ransomware groups, it is very possible to reorganize or rebrand under another alias in the future, so there is no retirement or anything like that.
“The recent claim that scattered spiders are retiring should be taken with a considerable degree of skepticism,” said Karl Sigler, security research manager for SpiderLabs Threat Intelligence at TrustWave. “Apart from a true breakup, this announcement could indicate a strategic move to distance the group from increasing pressure on law enforcement.”
Sigler also noted that farewell letters should be considered a strategic hideaway and avoids ongoing efforts to cover up the activity, not to mention the complex attribution efforts that make it difficult for the group to reassess its practices, refine trade, and link future cases to the same core actors.
“It is plausible that something within the group’s operational infrastructure has been compromised. It is likely that it will at least trigger a group to become darker, at least temporarily, through the arrest of a breached system, exposed communications channel, or lower tier affiliates. It will re-emerge under a new identity.”
Source link
