Hackers associated with the “scattered spider” strategy have expanded their targeting to aviation and transport industries after attacking insurance and retail areas.
These danger actors have employed a sector-by-sector approach, initially targeting retail companies such as M&S and Co-Oop in the United Kingdom and the United States and later focused on insurance companies.
While the danger actors were not officially held responsible for the insurance sector attacks, recent events have affected Aflak, Eri Insurance and Philadelphia insurance companies.
Hackers target the aviation industry
On June 12, Canada’s second largest airline, Westjet, Had to face a cyber attack It briefly interrupted the company’s internal services and mobile apps.
Immediately after the breech, sources told Bleepingcomputer that Palo Alto Network and Microsoft were assisting in response.
The attack was attributed to the scattered Spider, who allegedly compromised the company’s data center and its Microsoft Cloud environment.
Bleepingcomputer was informed that the danger actor had access to an employee by resetting a self-service password, which enabled them to register their own MFA and get remote access to the network to the network via Citrix.
While other danger actors conduct identification attacks, scattered spider are connected to this strategy, which are due to the help desk and password and regular targeting of MFA infrastructure.
Today, Hawaiian Airlines also revealed that he faced a cyber attack, but he did not give any details that indicated who was behind the attack. However, a source told Bleepingcomputer that it is believed that the same danger is responsible.
Sam Rubin of Palo Alto Netws, SVP of Consulting and Threat Intelligence, has now confirmed on LinkedIn that the scattered Spider has started targeting the aviation industry.
“Unit 42 has observed the modeled Libra (also known as a spider), targeting the aviation industry,” Warned Rubin,
“Organizations should be on high alert for refined and targeted social engineering attacks and suspected MFA reset requests.”
Charles Karmakal of Mandiant also warned that danger actors have now focused their focus on both aviation and transport sectors.
“Alert: Scattered Spider has added North American airline and transport organizations to its target list,” Carmakal posted LinkedIn,
“Mandiants (part of Google Cloud) are aware of many incidents in the airline and transport sector that resembles unC3944 or scattered spider operations.
“We recommend that the industry immediately take steps to tighten its aid desk identity verification procedures before adding new phone numbers to employees/contractors accounts (which can be used by the actor to reset self-service password), reset passwords, add equipment to MFA solutions, or later it can be used for social engineering attack.”
What is scattered spider
Scattered spider, also known as 0ktapus, Starfraud, UnC3944Scatter swine, octo temperature, and MasculineThere is a classification of danger actors who specializes in using SIM swapping to get social engineering attacks, fishing, multi-factor authentication (MFA) bombing (targeted MFA fatigue), and initial network access on large organizations.
These danger actors include young English speaking people with diverse skills set people who continue to do the same hacker forum, telegram channel and discord server. These mediums are used to plan and execute attacks in real time.
Some are considered part of the “com” – a loose -wet community of threats known for financial fraud, cryptocurrency theft, data violations and forced recovery attacks.
While the scattered spider is usually referred to as a harmonious gang, it is actually used to represent danger actors who use specific strategies when conducting attacks. Since attacks associated with the scattered spider strategy are usually used by separate individuals from a loose network of danger actors, it becomes difficult to track them.
Unlike many other English-speaking danger actors, people associated with “scattered Spider” are known to partner with Russian-bound Ransomware gang, such as Blackcat,, RansomahbKyulin, and Dragonforce.
Other attacks associated with scattered spider include MGM, Marx and Spencer, Co-Op, Twilio, Coinbase, Dordash, Caesar, Melchimp, Riot Games and Redit.
Protected organizations against this type of danger should begin with full visibility in the entire infrastructure, identity systems and important management services.
This includes securing the self-service password reset platform and helping the general goal of these danger actors, desk.
Both Google Danger Intelligence Group (GTIG) And Palo Alto Network These danger have issued guides on strict rescue against the “scattered spider” strategy used by these danger actors.
All appreciation is advised to familiarize themselves with these tips and tighten their identity platforms and procedures.
Patching meant complex scripts, long and endless fire drills. No more.
In this new guide, the tines break down how it is leveling with modern organ automation. Patch fast, reduce overhead, and focus on strategic tasks – no complex script is required.
