Understanding Scattered Spider Cyber Attacks

Scattered Spider just rewrote my ransomware playbook. They didn’t just break in. They didn’t just move laterally. They fought back. Incident response started closing doors and Scattered Spider pried them back open, countered security moves in real-time, and actively sabotaged the organization’s operations on their way out. This isn’t the future of ransomware. It’s here. A few painful lessons: - Social engineering is faster than brute force. Scattered Spider impersonated a CFO and convinced the help desk to reset MFA.. and it worked! - Over-privileged executive accounts remain soft targets. They offer maximum access and minimum resistance. - Cloud misconfigurations and virtual machines are blind spots. The attackers moved through virtual desktops, spun up new machines, and operated without endpoint detection visibility. - Persistence matters. Even after discovery, the attackers leveraged administrator-level control to claw back access and delay eviction. - Real-world tug-of-war is now part of the threat landscape. They weren’t afraid to burn the environment down. Here is how we (Incident Response) can start to prepare: - Strengthen identity verification, especially for help desk resets. Voice-based verification is not enough. - Audit executive accounts for unnecessary privileges. Just because it’s the CFO doesn’t mean they need domain-wide access. - Segment and actively monitor your virtual environments. Treat VDI and VMware ESXi like critical infrastructure. - Plan for post-discovery adversaries. Assume they’ll fight to stay. Build recovery and containment playbooks for hostile evictions. Scattered Spider showed us what the next generation of attackers looks like. They don’t just steal data. They disrupt. They linger. And they’re watching how you respond. You get what you rehearse, not what you intend, start rehearsing now.

The Scattered Spider 🕷️ threat group is now actively targeting organisations' virtualisation platforms, particularly VMware vSphere as a launchpad for #ransomware deployment. Here’s some interesting insights from Mandiant (part of Google Cloud)(GTIG). 𝗜𝗻𝗶𝘁𝗶𝗮𝗹 𝗔𝗰𝗰𝗲𝘀𝘀 🔸Social engineering via phone calls to IT help desks 🔸Impersonation of staff to gain valid credentials 🔸No software exploits used, pure human manipulation 𝗧𝗿𝗮𝗱𝗲𝗰𝗿𝗮𝗳𝘁𝘀 🔺Living off the land (LoTL) techniques, pretty much using legitimate admin tools 🔺Compromise of Active Directory (AD) as central pivot point 🔺Pivot into VMware vSphere environments 🔺Exfiltrate data and deploy ransomware directly from ESXi hypervisors 𝗪𝗵𝘆 𝗵𝘆𝗽𝗲𝗿𝘃𝗶𝘀𝗼𝗿𝘀? 👉EDR tools often blind to ESXi and vCenter activity 👉Minimal traditional IoCs 𝗡𝗼𝘄 𝘄𝗵𝗮𝘁? ✅Validate that your SIEM sees the right signals ✅Test #incidentresponse plans for a hypervisor level breach ✅Conduct purple team exercises simulating Scattered Spider known TTPs Read on https://lnkd.in/g2Q_PcX9 📌Validate detections for how attackers really move. Don’t wait for the ransomware splash screen.

INCIDENT ANALYSIS: SCATTERED SPIDER CYBERCRIME GROUP ROGUE VM DEPLOYMENT IN VSPHERE ℹ️ Researchers investigated a September 2025 breach where they recovered a rogue VM that they attribute with high confidence to the cybercrime group Scattered Spider (aka Muddled Libra / UNC3944). This VM acted as a beachhead inside the victim environment and revealed detailed insight into this threat actor’s operational playbook. 📍 SCATTERED SPIDER ■ Cybercrime-focused group known for social engineering (including smishing/spear phishing and vishing). ■ Skilled at impersonating employees to bypass authentication and gain access. Often targets help desks, third-party providers (BPOs/MSPs) to increase access surface. 📍 KEY OBSERVATIONS ■ Initial Intrusion & Beachhead: Attackers gained unauthorized access to the victim’s VMware vSphere environment. ■ They created a rogue VM and used it as the primary foothold for operations. Actions and Technology Used ■ Downloaded tools used for persistence and lateral movement. ■ Established persistent C2 using SSH tunnels (e.g., via Chisel). ■ Used stolen certificates to forge authentication tokens/tickets. ■ Accessed critical domain controller data by mounting powered-off DC disks, then exfiltrated NTDS.dit and SYSTEM files. ■ Ran Active Directory enumeration tools (e.g., ADRecon) to map out the internal network. ■ Performed web searches within the environment to understand business context and potential data of interest. ■ Interacted with the victim’s Snowflake infrastructure, suggesting potential data access/extraction. 📍 TRADECRAFT CHARACTERISTICS ■ Focuses on living-off-the-land techniques by using built-in tools and benign binaries where possible. ■ Relies on social engineering and low-noise techniques rather than malware. ■ Rapid movement from foothold to enumeration and credential theft demonstrates high operational discipline. 📌 Source: Unit 42 🔗 https://lnkd.in/d4XjtvtV #cybercrime #ScatteredSpider #MuddledLibra #UNC3944 #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

We just published a great detailed analysis piece derived from Microsoft IR engagements and Microsoft TI actor hunting capturing Octo Tempest's (overlap 0ktapus, Scattered Spider, UNC3944) evolving financial extortion campaigns using AiTM, social engineering, SIM swaps and more. We have invested significantly in product detection coverage across Microsoft Defender and provided detailed analysis in Defender Threat Intel & M365D Threat Analytics too! Initial Access - Octo Tempest commonly launches social engineering attacks targeting technical administrators, such as support and help desk personnel, who have permissions that could enable the threat actor to gain initial access to accounts. Has also been observed impersonating newly hired employees in these attempts to blend into normal on-hire processes. Recon & Discovery - Octo Tempest modifies the security staff mailbox rules to automatically delete emails from vendors that may raise the target’s suspicion of their activities. Octo Tempest performs various enumeration and information gathering actions to pursue advanced access in targeted environments and abuses legitimate channels for follow-on actions later in the attack sequence. Uses their access to carry out broad searches across knowledge repositories to identify documents of interest. Following, they perform exploration through multi-cloud environments enumerating access and resources across cloud environments, code repositories, server and backup management infrastructure, and others. The whole goal here is achieving highest/broadest-possible access so Octo Tempest This actor uses a well-established and extensive catalog of open-source tooling to execute each of their campaigns. Defense Evasion - Octo Tempest compromises security personnel accounts within victim organizations to turn off security products and features and attempt to evade detection throughout their compromise. Using compromised accounts, the threat actor leverages EDR and device management technologies to allow malicious tooling, deploy RMM software, remove or impair security products, data theft of sensitive files (e.g. files with credentials, signal messaging databases, etc.), and deploy malicious payloads. Persistence - Octo Tempest leverages publicly available security tools to establish persistence within victim organizations, largely using account manipulation techniques and implants on hosts. So much more in the blog and in our products. https://lnkd.in/gjjxQVtk

The threat landscape just got more complex. The Scattered LAPSUS$ Hunters-alliance has re-emerged, merging the tactics of notorious groups. This isn’t just a name change; it’s a shift toward professionalized, identity-centric extortion. What you need to know: High-Value Targets: Focused on enterprises with $500M+ revenue, specifically in Cloud, Telecom, and Finance. Identity is the Perimeter: They specialize in "logging in" rather than "hacking in," using advanced vishing (voice phishing) and insider recruitment to bypass MFA. ShinySp1d3r RaaS: The group is launching its own "extortion-as-a-service" platform, moving away from third-party ransomware. Sector Limits: They currently avoid healthcare and specific geopolitical regions (Russia/China), keeping their focus on high-yield corporate data. The takeaway? If your security relies solely on "traditional" MFA without monitoring for suspicious identity behaviour, you could be at risk. #CyberSecurity #ThreatIntel #ScatteredSpider #Lapsus #CISO #DataProtection #CYFIRMA #CYFIRMAresearch #ExtrnalThreatLandscapeManagement #ETLM

The Federal Bureau of Investigation (FBI) said that it has recently observed the #cybercriminal group #ScatteredSpider expanding its targeting to include the #airline sector. These actors rely on #socialengineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access. “These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized #MFA devices to compromised accounts,” the FBI wrote in a message on X, formerly Twitter. “They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.” Mandiant (part of Google Cloud) is aware of multiple incidents in the airline and #transportation sector that resemble the operations of #UNC3944 or Scattered Spider. Charles Carmakal, CTO and Board Advisor at Mandiant, recommended that “the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts (which can be used by the threat actor to perform self-service password resets), reset passwords, add devices to MFA solutions, or provide employee information (e.g. employee IDs) that could be used for a subsequent social engineering attacks.” Sam Rubin, senior vice president of consulting and threat intelligence at Unit 42 by Palo Alto Networks, wrote in a LinkedIn post that “Unit 42 has observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry. Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.” “Once inside, the group quickly escalates privileges, disables recovery systems, exfiltrates sensitive data, and detonates ransomware, often across hybrid cloud and on-prem infrastructure,” Anthony M. Freed, a research and communications director, wrote in a Monday Halcyon blog post. “In a matter of hours, the group can breach, establish persistent access, harvest sensitive data, disable recovery mechanisms, and detonate ransomware across both on‑premises and cloud environments.”  https://lnkd.in/gebn9qAV

Scattered Spider doesn’t innovate. They repeat. 🕷️ Their tactics don’t change. But the damage keeps piling up: 🎰 Caesars paid $15 M to get systems back. 🎲 MGM refused to pay, but lost $100 M+ in downtime. 🛍️ M&S faced a £10 M demand (outcome unknown). 🛫 Qantas & US airlines now on the FBI’s radar. 🏦 Aflac, Erie & Philadelphia Insurance breached via pure social engineering. Scattered Spider often hits first by compromising MSPs or other third-party providers to multiply entry points. In every case, there’s a common thread: data-rich organizations with complex operations and deep reliance on third-party services. Casinos, airlines, insurers, retailers — all outsource critical functions like customer service, infrastructure, and even their help desks. In many cases, they don’t fully know how much access those vendors have to sensitive data. And that’s exactly where Scattered Spider strikes. They use the same TTPs every time: SIM swapping. MFA fatigue. Help desk phishing. Then they move laterally, blend in, and lock you down. Hack The Box just released training built off Scattered Spider’s real attacks. Blue teams test detection, red teams run the exact path, and CISOs prove the team’s ready for real threats. Defending against this isn’t only about training your cybersecurity team, it means upskilling every employee with awareness, especially in IT and support roles. One socially-engineered help desk call is all it takes. Because Scattered Spider isn’t targeting your firewall. They’re targeting your people.

'The group behind the high-profile MGM cyberattack in September has resurfaced in yet another sophisticated ransomware attack, in which the actor pivoted from a third-party service environment to the target organization's on-premise network in only an hour... ...Specifically, attackers used a socially-engineered MFA fatigue attack —in which they used the valid account credentials to attempt four MFA challenges within two minutes. The last resulted in successful authentication, with a "new device sign-in" being observed from Florida IP address 99.25.84[.]9 that was used to reset a legitimate Okta user's credentials to access the environment of a cloud service provider... ...Scattered Spider ultimately used a combination of TTPs — including social engineering of help-desk employees, identity as-a-service (IDaaS) cross-tenant impersonation, file enumeration and discovery, abuse of specific enterprise applications, and use of persistence tools — to achieve widespread encryption and exfiltration of data from the targeted network.' https://lnkd.in/gbh8RFaV

Imagine an end user of your Salesforce environment gets this call: "Hi, it's IT. We need you to authorize our new Salesforce Data Loader utility to fix a sync issue." Native English speaker. Convincing voice. It’s a social engineering master who makes phishing calls sound like your actual IT team. Your user clicks "Allow." And just like that, Scattered Spider is in. They aren't breaching Salesforce's walls. They are walking through the front door, handed the keys by your own users, disguised as your most trusted tools. This is the chilling reality of "consent phishing” and “vishing." The malicious app they install, often named something innocuous like "My Ticket Portal" does absolutely nothing at first. It sits dormant in your org for months, a digital time bomb passing every basic audit. Then, one day, it activates. It uses the permissions it was granted to silently exfiltrate your most valuable data. By the time you notice in log reviews, it's too late. Static security posture is no longer a defense. We have to move from posture to observation & immediate action. There's the new security baseline for Salesforce environments: 🔍 Deep Auditing: Don't just catalog your connected apps. Audit every single one. 👁️ True Observability: Go beyond logs. You need to see what your apps are actually doing. Is that signature tool suddenly sniffing around your Lead objects? You need to know instantly. 🤖 Intelligent Automation: You cannot manually keep pace with this threat. Automating the discovery, scoring, and continuous monitoring of your app ecosystem isn't a luxury; it's a necessity. It’s why we built Valo AI. We wrote a guide for Trailblazers on how to break the cycle and automate your defense. Link to blog in the comments. Because the next headline could be about your org.

The MGM breach wasn’t a cyberattack. It was an intelligence operation. The initial access point wasn’t malware or an exploit. It was a conversation. An attacker convinced a help desk to reset credentials, and from that moment on, everything else was access. No zero-day. No sophisticated intrusion chain. No perimeter failure. Just trust, process, and identity. And that’s the problem. Groups like Scattered Spider are showing how modern threats operate: • They profile targets before engagement • They exploit internal workflows, not just systems • They move fast using legitimate access • They blend social engineering with operational discipline That’s not traditional cybercrime. That’s applied tradecraft. The real risk isn’t the breach. It’s what access like this enables: • Mapping internal systems and workflows • Identifying high-value individuals and decision-makers • Monitoring activity without triggering alerts • Positioning for follow-on exploitation Most organizations are still defending like this is a technical problem. It’s not. It’s an exposure problem. We broke this down in our latest IXN Dispatch case study (link in comments), including: • Full attack and CI implications flowcharts • Where identity-based access bypasses controls • How cyber and intelligence tactics are converging • What organizations should actually change now If someone called your help desk today, how far would they get? #Counterintelligence #InsiderThreat #CyberSecurity #SocialEngineering #RiskManagement #EnterpriseSecurity #ScatteredSpider IXN Solutions Ryan Rambo