{"id":14428,"date":"2025-07-11T07:28:33","date_gmt":"2025-07-11T07:28:33","guid":{"rendered":"https:\/\/newestek.com\/?p=14428"},"modified":"2025-07-11T07:28:33","modified_gmt":"2025-07-11T07:28:33","slug":"anatomy-of-a-scattered-spider-attack-a-growing-ransomware-threat-evolves","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14428","title":{"rendered":"Anatomy of a Scattered Spider attack: A growing ransomware threat evolves"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Scattered Spider<\/a> is increasingly making headlines of late, evolving its techniques and broadening the scope of its criminal activities against a wider array of enterprises.<\/p>\n

Active since at least May 2022, the financially motivated cybercriminal group initially targeted telecommunications and entertainment companies, including MGM Resorts and Caesars Entertainment, through SIM-swapping and ransomware operations.<\/p>\n

[ See also: How CISOs can defend against Scattered Spider ransomware attacks<\/a> ]<\/strong><\/p>\n

Over time, the group has shifted to high-value industries, most notably with attacks in May targeting major retailers such as Marks & Spencer, Co-op, and Harrods, and more recently airlines \u00a0such as Hawaiian and Quantas<\/a> in assaults that caused widespread disruption to their operations and millions of dollars in damages and recovery costs.<\/p>\n

While the UK\u2019s National Crime Agency this week announced four arrests for the attacks on Marks & Spencer, Co-op, and Harrods<\/a>, law enforcement officials have given no indication that the group\u2019s threat has abated.<\/p>\n

Notorious for its aggressive use of social engineering, Scattered Spider is believed to be targeting a wider range of industries<\/a> with more sophisticated attacks. Understanding the group\u2019s latest tactics can help CISOs prepare to counter the threat.<\/p>\n

In a recent attack, the subject of a post-mortem by threat detection and response vendor ReliaQuest, Scattered Spider used advanced social engineering to compromise the organization\u2019s Entra ID, Active Directory, and virtual infrastructure. The attack chain demonstrates the Scattered Spider\u2019s ability to blend patient planning with rapid execution, as well as increased knowledge of cloud-based and on-premises enterprise IT systems.<\/p>\n

Scattered Spider took care to minimize its chance of detection and, even after the attack was discovered, aggressively attempted to maintain control of compromised systems.<\/p>\n

Scattered Spider\u2019s evolving plan of attack<\/h2>\n

Scattered Spider began its attack against the unnamed organization\u2019s public-facing Oracle Cloud authentication portal, targeting its chief financial officer.<\/p>\n

Using personal details, such as the CFO\u2019s date of birth and the last four digits of their Social Security number obtained from public sources and previous breaches, Scattered Spider impersonated the CFO in a call to the company\u2019s help desk, tricking help desk staff into resetting the CFO\u2019s registered device and credentials.<\/p>\n

The ruse was expedited by a combination of the priority help desk staff typically attach to requests from executive leadership and the fact that IT organizations routinely over-privilege C-suite accounts, allowing them access to a greater range of IT systems. It also demonstrates an evolution in Scattered Spider\u2019s tactics, ReliaQuest notes. Whereas previously the group deployed credential harvesters via typosquatted domains to obtain valid credentials, its latest attacks see the group already equipped with valid credentials from the outset.<\/p>\n

Given access to the CFO\u2019s account, Scattered Spider mapped Entra ID (Azure AD) privileged accounts and groups before locating sensitive files on SharePoint and gaining an understanding of the targeted organization\u2019s on-premises IT systems and cloud environment.<\/p>\n

Cybercriminals hacked into the target\u2019s Horizon Virtual Desktop Infrastructure (VDI) using the CFO\u2019s credentials before using social engineering to compromise two further accounts and pivoting toward the on-premises environment. In parallel, the group breached the organization\u2019s VPN infrastructure to maintain remote access to compromised systems.<\/p>\n

Scattered Spider subsequently reactivated a decommissioned virtual machine and began creating a parallel virtual environment under its control before shutting down a virtualized production domain controller, and extracted the NTDS.dit database file (Active Directory credentials) \u2014 all the while evading traditional endpoint detection.<\/p>\n

The cybercriminals extracted more than 1,400 secrets by taking advantage of compromised admin accounts tied to the target\u2019s CyberArk password vault and likely an automated script. Scattered Spider granted administrator roles to compromised user accounts before using tools, including ngrok, to maintain access on compromised virtual machines.<\/p>\n

\u201cOn several occasions, the group assigned additional roles to compromised users, including the Exchange Administrator role,\u201d according to ReliaQuest. \u201cThis role was used to monitor the inboxes of high-profile employees, enabling the attackers to stay ahead of the security team and maintain their control over the environment.\u201d<\/p>\n

Ensuing battle over IT resources<\/h2>\n

Despite the stealth of the attack incident response defenders at the compromised company detected the attack and began to fight back, setting up a tug-of-war to establish control over the organization\u2019s IT resources. In response, Scattered Spider abandoned attempts at covert infiltration and began an aggressive attempt to disrupt business operations and hinder response and recovery.<\/p>\n

For example, the group began deleting Azure Firewall policy rule collection groups. The attack was ultimately thwarted, at least in its main aims. Although some sensitive data was extracted, the likely plan to deploy ransomware never came to fruition.<\/p>\n

This battle over privileged roles escalated until Microsoft had to intervene to restore control over the tenant.<\/p>\n

\u201cScattered Spider\u2019s latest campaign demonstrates its ability to adapt and evolve, blending human-centric exploitation with technical sophistication to compromise identity systems and virtual environments,\u201d ReliaQuest concludes.<\/p>\n

Faster, further, stronger<\/h2>\n

Christiaan Beek, senior director, threat analytics at Rapid7, told CSO that Scattered Spider\u2019s tradecraft has evolved over recent months as it has developed better knowledge of cloud-based systems and carried out more aggressive, multi-pronged attacks.<\/p>\n

Beek noted the following additions to Scattered Spider\u2019s arsenal:<\/p>\n