Cyber Blog

Cybersecurity researchers have linked a new wave of attacks on financial institutions to the notorious group known as Scattered Spider, contradicting their earlier statements that they were disbanding. The group has shifted its focus toward the financial services industry, creating look-alike domains aimed at organizations in that sector, and launching a recent targeted intrusion against a U.S. bank.

In that attack, the adversaries gained access by socially engineering an executive’s account, then resetting the password through Azure Active Directory Self-Service Password Management. Once inside, they were able to access sensitive IT and security documentation, move laterally across the network through Citrix and VPN systems, and compromise VMware ESXi infrastructure to harvest credentials and deepen their penetration.

They escalated privileges by resetting a service account used by Veeam, assigning themselves Global Administrator permissions in Azure, and relocating virtual machines to avoid detection. There are signs they also attempted to take data from cloud repositories including Snowflake and Amazon Web Services among others.

Scattered Spider’s recent activities call into question earlier claims that they were retiring along with other cybercrime groups such as LAPSUS$. Security experts believe that the group’s retirement announcement may have been more of a strategic retreat, intended to reduce law enforcement attention, suspend certain operations, or allow time to retool and reorganize.

Experienced analysts warn organizations not to let public statements of disbanding lull them into complacency. Threat actors with the resources and skill of Scattered Spider often rebrand, regroup, or operate under new aliases to evade detection, rather than disappearing altogether.