Scattered Spider, the group behind an attack that severely disrupted MGM Resorts, is still on the loose and is now launching attacks against financial services firms, new research warns.
The group has targeted 29 companies since April 20, cyber security researchers from the Resilience Cyber Insurance Solutions told Bloomberg, going after banks and insurance companies in particular.
The group has been operating as recently as 6 May, conducting social engineering attacks at an incredible speed and ramping up targeting of businesses, researchers claimed.
A list of targets provided by an unnamed senior researcher included Visa, PNC, Transamerica, New York Life Insurance Co, and Synchrony Financial, but the source could not confirm if the hackers successfully gained access to the companies in question.
Two firms operating in the insurance sector are reported to have been successfully breached, but they were not named by the researcher.
The group has been buying-up ‘lookalike domains’ that closely resemble that of their target in order to host fake log-in pages.
Researchers told Bloomberg that phishing emails and SMS messages distributed to employees would redirect them to these fake pages, disguised as identity management or content management services, which would harvest their credentials.
This fits with the tactics, techniques, and procedures (TTPs) already associated with the group. Last year, the FBI and CISA described the group as being highly proficient in social engineering techniques including phishing, push bombing, abusing multi-factor authentication (MFA) fatigue, and SIM swap attacks.
Scattered Spider is still on the loose despite law enforcement efforts
Both the FBI and CISA announced a crackdown on the group in the aftermath of the MGM Resorts cyber attack in September 2023, which forced the group to shutdown their IT systems, leaving customers locked out of rooms and slot machines out of action.
The agencies issued a joint advisory on 17 November 2023 requesting that victims of the Scattered Spider collective provide details on the group’s attack methods in order to aid their takedown efforts.
Victim testimony called for by the agencies included ransom notes, any communications they may have had with the group, their Bitcoin wallet information, and decryptor files.
These efforts have already started to bear fruit, with one teenage hacker linked to the Scattered Spider group being arrested in January 2024. Noah Urban, 19, was arrested for wire fraud associated with the group’s activities, according to Brett Leatherman, deputy director of the FBI’s cyber assistant.
There is clearly more work to be done, however, as the group appears undeterred by the increased attention from law enforcement agencies in recent months.
Charles Carmakal, CTO at Mandiant, told Reuters there was a fall in the group’s activity in January, perhaps linked to Urban’s arrest, but the attacks were going “pretty heavy right now”.
On 10 May, a senior official at the FBI told Reuters the agency was working towards charging hackers working for the group, even those young enough to normally avoid the full force of the law.
The FBI said it could use state and local laws to bring underage cyber criminals to justice, which Leatherman claimed has been a highly effective strategy in the past.
