"Organizations should assume Scattered Spider remains active and focused on identity takeover within financial services. The group favors social engineering to trigger self-service password reset in Azure AD especially against executives and helpdesk processes then uses the new foothold to raid cloud and on premises control planes. After initial access, they pivot through Citrix and VPN and compromise ESXi to harvest credentials and broaden reach."
"They escalate privileges by resetting service accounts such as Veeam and by granting Azure Global Administrator rights while relocating virtual machines to stay out of sight. Expect use of lookalike domains that imitate financial brands and internal portals to aid pretexting and credential capture. Data discovery and exfiltration attempts will target cloud stores including Snowflake and AWS along with internal file shares and ticketing or wiki systems."
Scattered Spider has resumed operations with a focus on the financial sector, executing identity takeover campaigns. The group leverages social engineering to trigger Azure AD self-service password resets against executives and helpdesk processes, then pivots via Citrix and VPN to compromise ESXi and harvest credentials. Attackers escalate privileges by resetting service accounts and granting Azure Global Administrator rights while relocating virtual machines to evade detection. The adversary uses lookalike domains and pretexting to capture credentials and targets cloud stores such as Snowflake and AWS, internal file shares, ticketing systems and wikis. Evidence suggests possible collaboration with ShinyHunters and a hands-on-keyboard approach that abuses native admin tools.
Read at Securitymagazine
Unable to calculate read time
Collection
[
|
...
]