Scattered Spider Resurgence

Security teams and leaders around the world will not forget the successful Scattered Spider attack on casinos in Las Vegas last year. A short time after the casino attacks, Scattered Spider cooled off. Now, in 2025, not only has Scattered Spider returned, but they have come back stronger and more agile than ever. Please review the details of this article and sign your company up for a FREE Scattered Spider Threat Briefing at the Threat Briefing Signup Webpage.

eCrime Spree Over the Last 90 Days

April 2025 - UK retail companies Marks & Spencer, Co-op, and Harrods fell victim to Scattered Spider, with the business impact of online sales being offline for up to 7 weeks and a loss of millions of dollars.

May 2025 - Global retail brands from the US and UK, including Dior, The North Face, Cartier, Victoria’s Secret, Adidas, Coca-Cola, and United Natural Foods, fell victim to Scattered Spider, causing widespread e-commerce and point of sale (POS) disruptions.

June 2025 - US insurance companies Aflac, Erie Insurance, and Philadelphia Insurance fell victim to Scattered Spider, resulting in data stolen from Aflac, Erie being completely offline for 10 days, as well as multiple state policyholder portals being offline.

July 2025 - Hawaiian Airlines, WestJet, and Qantas attacks are under investigation, and it has been confirmed that Qantas lost 6 million accounts' information. This resulted in a Federal Bureau of Investigation (FBI) alert.

July 10, 2025 - Today, The Hacker News is reporting that the UK NCA arrested 4 suspects ranging in age from 17 to 20 linked to the April 2025 retail attacks.

Tactics used in the last 90 days

Initial Access - Voice phishing information technology help desks to reset single sign on (SSO) / multi factor authentication (MFA) for real employees as well as SIM swapping or eSIM port to hijack SMS and voice codes per CrowdStrike.

Credential Harvest & MFA bypass - Evilginx style phishing pages on tyopsqutted domains with technology vendors being the most used per ReliaQuest.

Privilege Escalation & Lateral Movement - Once a foot hold was gained Scattered Spider attacks Microsoft Active Directly (AD) from vulnerable virtual machines (VM) and VMware vCenter quickly covering their tracks with mail-rules to hide security alerts. Once under the cover of mail-rules the abuse of known remote desktop tools were use including AnyDesk and TeamViewer. source: CrowdStrike

Payload & Impact - Once data is found ransomeware including DragonForce, Play, Akira were deployed to VMware ESXi clusters leading to data exfiltration for double extortion techniques. Within 24 - 48 hours from the first access we saw public leak threats. source: ReliaQuest.

Three High Impact Areas That Need Controls Today

Many companies have not taken the basic steps to reduce risk related to Scattered Spider and other sophisticated attacks. The time to act is now and implement nine controls in these three high-impact areas.

1. Helpdesk & Identity Hardening

Companies should implement controls that require (a) callback verification using pre-identified numbers, (b) require manager approval for password and MFA resets, and if your company is still using (c) voice or SMS MFA solutions, stop immediately.

2. Protect Virtual & Cloud Management Technology

IT teams need to (d) isolate VMware vCenter / ESXi platforms and backup systems on dedicated admin network segments, (e) require MFA and device identity for all admin console access (every time it is accessed), and ensure all (f) VMware, MFA, and identity platforms are being monitored by your SIEM / Security Operations Center (SOC).

3. Continuous Security Awareness & Training

Increase security awareness and training to (g) include social engineering drills that involve live vishing and attacks on the help desk. Also, ensure (h) dark web monitoring is in place for employee password compromise. Finally, (i) monitor spoofed domains and have a process for taking down the malicious typosquat domains.

There is no guarantee that a company can keep from falling victim to a Scattered Spider cyber attack; however, implementing these nine controls can reduce the risk tremendously. If you need help designing and implementing these controls, Armes Vantage is here for you. Also, if you would like to have members of your company who would benefit from an Armes Vantage cybersecurity threat briefing, sign up at the threat briefing signup website. Once your request is made, Armes Vantage will reach out and set up the briefing directly with you.

Author: Glen E. Armes