The notorious cybercrime group known as Scattered Spider (aka UNC3944) that recently targeted various U.K. and U.S. retailers has begun to target major insurance companies, according to Google Threat Intelligence Group (GTIG).
“Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity,” John Hultquist, chief analyst at GTIG, said in an email Monday.
“We are now seeing incidents in the insurance industry. Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”
Scattered Spider is the name assigned to an amorphous collective that’s known for its use of advanced social engineering tactics to breach organizations. In recent months, the threat actors are believed to have forged an alliance with the DragonForce ransomware cartel in the wake of the latter’s supposed takeover of RansomHub’s infrastructure.
“The group has repeatedly demonstrated its ability to impersonate employees, deceive IT support teams, and bypass multi-factor authentication (MFA) through cunning psychological tactics,” SOS Intelligence said.
“Often described as ‘native English speakers,’ they are suspected to operate in or have ties to Western countries, bringing a cultural fluency that makes their phishing and phone-based attacks alarmingly effective.”
Earlier this month, ReliaQuest revealed that Scattered Spider and DragonForce are increasingly targeting managed service providers (MSPs) and IT contractors to obtain access to several downstream customers through a single compromise.
Google-owned Mandiant said the threat actors often single out large enterprise organizations, likely hoping to land a bigger payday.
Particularly targeted are enterprises with large help desks and outsourced IT functions that are susceptible to social engineering attacks.
To mitigate against tactics utilized by the e-crime group, it’s recommended to enhance authentication, enforce rigorous identity controls, implement access restrictions and boundaries to prevent privilege escalation and lateral movement, and train help desk personnel to positively identify employees before resetting their accounts.
