Updated on 2022-12-06
A financially-motivated threat actor, tracked as Scattered Spider, has been targeting telcos and BPO firms and reversing defense mitigations, reported Crowdstrike. Read more: Sneaky hackers reverse defense mitigations when detected
Overview: New Scattered Spider group targets telcos for SIM swapping attacks
Please be aware that due to a certificate rotation on our main website and audio distribution server, our podcast’s Spotify feed is currently down and won’t show any new episodes. Until this issue is resolved on Spotify’s side, you can subscribe via the RSS feed above or via any other podcatcher to get new episodes.
A new financially-motivated threat actor tracked as Scattered Spider has been on a rampage over the past few months, hacking into the networks of telcos and outsourcing companies in order to gain access to customer information and, in some cases, carry out SIM-swapping attacks.
The attacks have been taking place since June this year and follow a model previously made popular by the Lapsus$ gang.
The initial stages start with phone calls and text or Telegram messages to a company’s employees, posing as its IT department. The calls and messages ask employees to visit a phishing site or instruct them to download a boobytrapped application.
Phished credentials and compromised systems are then used to establish a foothold inside a company’s network, with the group quickly acting to move laterally across the network and create multiple persistence methods for future access.
Security firm CrowdStrike—which detailed Scattered Spider’s modus operandi in a report published last Friday—described the group and its actions as “extremely persistent and brazen.”
They operate using many open-source tools and across Windows, Linux, Google Workspace, AzureAD, Microsoft 365, and AWS environments, sometimes in a very noisy way.
If their intrusions are detected, Scattered Spider operators will re-access a victim’s network through their backdoors and use their access to roll back security mitigations put in place by the targeted organisation. If they lose access to a network, CrowdStrike says the group immediately moves to a new target as if nothing happened.
CrowdStrike said that “swift and bold” security measures to isolate compromised environments had the best results in kicking the group out of a victim’s network and making it move to a new target.