The FBI has issued a critical cybersecurity alert regarding a surge in attacks targeting multi-factor authentication (MFA), also known as 2FA. The notorious Scattered Spider threat group is behind these escalating attacks, prompting immediate action from businesses and individuals.
Scattered Spider Targets New Sectors
Scattered Spider, known for its retail sector attacks, including a significant breach of Marks & Spencer in the U.K., is now targeting the airline industry and its supply chain, according to the FBI. This expansion signifies a growing threat to critical infrastructure and businesses beyond the retail sector.
A recent report by Halcyon highlighted indications that Scattered Spider is also targeting the Food, Manufacturing, and Transportation sectors, particularly aviation, within the United States. The FBI confirmed these findings, stating that the group is employing social engineering techniques to gain unauthorized access.
How Scattered Spider Bypasses 2FA
The attackers impersonate employees or contractors, deceiving IT help desks into adding unauthorized MFA devices to compromised accounts. This bypass allows them to gain access despite existing security measures.
The FBI urges organizations to be vigilant against requests to add unauthorized 2FA devices and to adhere strictly to established security protocols. If you suspect your organization has been targeted, contact your local FBI office immediately.
Understanding the Scattered Spider Threat
Reliaquest Threat Research Team’s analysis reveals that 81% of Scattered Spider’s domains impersonate technology vendors, targeting system administrators and executives with high-value credentials. The group uses phishing frameworks like Evilginx and social engineering, including video calls, to infiltrate technology, finance, and retail trade sectors.
Scattered Spider is linked to The Community, a hacking collective, and collaborates with ransomware operators like ALPHV, RansomHub, and DragonForce. This collaboration allows them to deliver sophisticated impersonation attacks.
The group recruits social engineers with specific qualifications, including fluency in English, a lack of accent, and availability during Western business hours. These individuals use detailed scripts and real-time guidance to manipulate targets outside of Russia and the Commonwealth of Independent States.
Future Threats: AI-Powered Attacks
Reliaquest anticipates Scattered Spider will soon adopt AI-powered attack methodologies, streamlining their ability to manipulate trust-based systems like IT help desks, making it even more crucial to stay informed and prepared.
Insurance Sector Also Under Attack
The Google Threat Intelligence Group reports multiple intrusions bearing the hallmarks of Scattered Spider activity in the insurance industry, indicating a broader expansion beyond aviation. This highlights the need for vigilance across various sectors.
Jon Abbott, CEO at ThreatAware, warns that the attacks on US insurers serve as a warning for other industries to remain vigilant and not underestimate the threat, especially concerning supply chain vulnerabilities.
Richard Orange, a vice president at Abnormal AI, emphasizes that Scattered Spider relies on social engineering rather than technical exploits, bypassing traditional security controls by manipulating people and moving laterally to harvest credentials.