NEW YORK—Financial institutions remain in the crosshairs of the cybercrime group Scattered Spider, despite claims the hackers are “going dark,” Bank Info Security reported.
Threat intelligence firm ReliaQuest told the news outlet it continues to track indicators of compromise tied to the collective, including a recent sophisticated attack on an unnamed U.S. banking organization. In that incident, attackers attempted to exfiltrate data from multiple repositories, including Amazon Web Services and Snowflake accounts, Bank Info Security said.
According to ReliaQuest, the intrusion began when the group socially engineered access to an executive’s account and reset their password via Azure Active Directory’s self-service tools. From there, attackers escalated privileges, accessed sensitive IT and security files, moved laterally through Citrix and VPN systems, and even compromised VMware ESXi infrastructure. By resetting a Veeam service account password and assigning themselves Azure Global Administrator permissions, the group was able to manipulate virtual machines and evade detection.
Bank Info Security noted that these tactics underscore a persistent and growing threat to the financial services sector. Over the past two months, Scattered Spider has registered numerous phishing domains and Salesforce credential-harvesting pages specifically tailored to financial institutions and technology providers. ReliaQuest said the group frequently spoofs single sign-on tools, using lookalike domains with keywords like “okta,” “helpdesk,” or “sso” to trick employees into giving up credentials.
The continued targeting of financial institutions signals that banks and credit unions must brace for further highly technical attacks, particularly those exploiting identity and cloud-based platforms, analysts stated.