Notorious Cybercrime Group Expands Its Reach, Targeting Help Desks and Call Centers

Google’s Threat Intelligence Group has issued a warning to U.S. insurance firms, alerting them to a new wave of attacks by the notorious cybercrime group Scattered Spider. The group, also known as UNC3944, has been targeting various U.K. and U.S. retailers in recent months, but has now shifted its focus to the insurance industry.

According to John Hultquist, chief analyst at Google’s Threat Intelligence Group, the group’s attacks bear all the hallmarks of Scattered Spider activity. “We are now seeing incidents in the insurance industry,” Hultquist said in an email. “Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”

Scattered Spider is known for its use of advanced social engineering tactics to breach organizations. The group has forged an alliance with the DragonForce ransomware cartel, which has led to a significant increase in the group’s capabilities. “The group has repeatedly demonstrated its ability to impersonate employees, deceive IT support teams, and bypass multi-factor authentication through cunning psychological tactics,” said SOS Intelligence.

The group’s attacks often involve phishing and phone-based attacks, which are made more effective by their cultural fluency and ability to speak in native English. Scattered Spider has been targeting managed service providers (MSPs) and IT contractors, which allows them to obtain access to several downstream customers through a single compromise.

This tactic, known as a “supply chain attack,” allows the group to gain access to sensitive information and systems without being detected. “The group is taking advantage of the complexity of modern IT systems to gain a foothold in the target organization,” said a cybersecurity expert. “Once they have gained access, they can move laterally through the network, stealing sensitive data and disrupting operations.”

To mitigate against Scattered Spider’s tactics, experts recommend enhancing authentication, enforcing rigorous identity controls, implementing access restrictions and boundaries to prevent privilege escalation and lateral movement, and training help desk personnel to positively identify employees before resetting their accounts.

Additionally, experts recommend that organizations implement a zero-trust security model, which assumes that all users and devices are potential threats. This approach involves verifying the identity and intent of all users and devices before granting access to sensitive information and systems.

Organizations should also stay up-to-date with the latest security patches and updates, and implement regular security audits to identify and address vulnerabilities. By taking these steps, organizations can reduce the risk of a Scattered Spider attack and protect their sensitive information and systems.