Sophisticated help desk deception campaigns: The group has perfected calling corporate help desks and impersonating employees to trick support staff into resetting passwords and adding unauthorized devices to multi-factor authentication systems.Cybercrime syndicates like Scattered Spider operate as compartmentalized organizations, with distinct teams specializing in different attack phases, said Sunil Varkey, advisor at Beagle Security. “One such team is the social engineering team, typically low-cost, non-technical, and composed of skilled communicators, tasked with manipulating users and help desk staff to bypass security controls.”Help desks present particularly vulnerable targets because they often operate as separate, outsourced functions with high employee turnover and predefined scripts. “This is a function with high employee turnover, as it is typically low-paying,” Varkey said. “Consequently, the context based on tenure is very limited in acting beyond the standard script.”The group’s 2023 attack on MGM Resorts exemplifies their devastating impact, hackers impersonated an MGM employee and convinced help desk staff to reset credentials, ultimately leading to a ransomware attack that caused $100 million in losses and a 36-hour operational shutdown.
Airlines present high-value targets: Aviation companies are particularly vulnerable because they “rely heavily on call centers for a lot of their support needs,” making them susceptible to groups that specialize in help desk social engineering.”Airlines also hold vast amounts of sensitive data, including customer PII, flight schedules, and operational information,” said Brijesh Singh, cybersecurity expert and additional director general of police, Government of Maharashtra, India, explaining why the group is targeting the sector. “Airlines’ complex global networks and supply chains make them prime targets. Infiltrations can quickly escalate, leading to substantial ransoms or stolen data being sold on the dark web.”Help desks in aviation and other large sectors are especially exposed because they typically operate as outsourced, non-IT functions removed from day-to-day business operations. “The assumption with MFA is that if the user passes the second factor, they are a legitimate user,” Varkey said. “In many cases, MFA may not be OTP-based but rather secret questions, such as ‘your favorite sport’ or ‘your mother’s maiden name,’ which are too easy to guess or obtain through social media.”The FBI noted that the group targets “large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.”
Advanced persistence tactics: Recent incident reports reveal the group’s sophisticated approach to maintaining access. CISA reports that Scattered Spider actors “often search the victim’s Slack, Microsoft Teams, and Microsoft Exchange online” and “frequently join incident remediation and response calls and teleconferences” to understand how security teams are hunting them.Mandiant is advising clients to “immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts” and implement additional verification before resetting passwords or adding MFA devices.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4014787/scattered-spider-shifts-focus-to-airlines-after-strikes-on-hawaiian-and-westjet.html
