Skip to content

Scattered Spider Targets SaaS Platforms for Data Exfiltration

June 13, 2024 – Published on Decipher

The well-known Scattered Spider threat group has evolved its tactics to target software-as-a-service (SaaS) applications for data theft and using “a more aggressive method of persistence” leveraging virtualization platforms.

Scattered Spider (also known as UNC3944) has been active since at least May 2022 and was behind several high-profile attacks, including ones on Caesars Entertainment and MGM Resorts. The group initially focused on credential harvesting and SIM swapping attacks before moving to ransomware and data theft extortion.

This shift coincides with new findings published this week by GuidePoint Security, which highlight clues of the cybercrime group’s recent activity pointing to how it may have become an affiliate for the RansomHub ransomware-as-a-service operator. Despite these recent changes, the group has continued using its infamous initial access vector of targeting call centers to gain access to privileged accounts.

These attacks have used a sophisticated level of social engineering, including leveraging victims’ compromised PII, in order to bypass the methods used by help desks to verify user identity. Additionally attackers were able to bypass MFA protections by telling service desks they had a new phone and needed an MFA reset. After gaining control of targeted accounts, attackers would conduct reconnaissance via Microsoft applications, targeting internal help guides and documentation for VPNs and remote telework utilities in Sharepoint, for instance.

Read More HERE.