{"id":2925,"date":"2025-09-23T00:52:47","date_gmt":"2025-09-23T00:52:47","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/09\/23\/organizations-must-update-defenses-to-scattered-spider-tactics-experts-urge\/"},"modified":"2025-09-23T00:52:47","modified_gmt":"2025-09-23T00:52:47","slug":"organizations-must-update-defenses-to-scattered-spider-tactics-experts-urge","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/09\/23\/organizations-must-update-defenses-to-scattered-spider-tactics-experts-urge\/","title":{"rendered":"Organizations Must Update Defenses to Scattered Spider Tactics, Experts Urge"},"content":{"rendered":"<div id=\"layout-26951dc8-e665-4fa8-9601-bea991c71832\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Organizations must urgently update their defenses to protect against tactics deployed by the Scattered Spider hacking collective this year, according to experts speaking during the Gartner Security &#038; Risk Management Summit 2025.<\/p>\n<p>A particular focus should be placed on identity tools and controls, security processes and third-party risk management to tackle the novel and highly effective techniques used by the group.<\/p>\n<p>During a session at the Summit, George Glass, associate manging director at risk advisory company Kroll, discussed Scattered Spider\u2019s highly successful approach in compromising high profile targets from April to July 2025.<\/p>\n<p>The group, affiliated to The Com online criminal network, was linked to a number of attacks on retailers in April and May, including Marks &#038; Spencer (M&#038;S), the Co-op and Harrods.<\/p>\n<p>It then switched focus to the insurance sector in June, and later in the month to the transportation industry. Attacks have followed the same playbook, with the techniques highly effective in accessing sensitive data and deploying ransomware.<\/p>\n<p>Glass noted that the group has been known to have used threats of physical violence to executives as an extortion tactic.<\/p>\n<p>Since then, Scattered Spider\u2019s activity has significantly reduced, which Glass attributed to law enforcement actions, including the arrest of suspected members of the outfit in July and internal \u201cinfighting.\u201d<\/p>\n<p>With other actors, such as ShinyHunters, using similar tactics to Scattered Spider to great success, it is vital that organizations update their security measures to tackle the tactics employed.<\/p>\n<p>Experts believe that there are many overlaps and cooperation between The Com affiliated groups such as Scattered Spider and ShinyHunters.<\/p>\n<p>For example, the recent cyber-attack on car manufacturing giant Jaguar Land Rover (JLR) was claimed by a group calling itself \u201cScattered Lapsus$ Hunters,\u201d suggesting a possible collaboration between Scattered Spider, ShinyHunters and Lapsus$.<\/p>\n<h2><strong>How Scattered Spider Operates: A Case Study<\/strong><\/h2>\n<p>Glass provided insights into a Scattered Spider attack on a Kroll client, which the firm was ultimately able to stop.<\/p>\n<p>The attack began with the threat actor calling the target\u2019s IT helpdesk, claiming to be an employee who was locked out of their account.<\/p>\n<p>Once the password was reset, Scattered Spider sought to bypass the user\u2019s multifactor authentication (MFA) using \u201cpush notification fatigue\u201d \u2013 bombarding users with mobile phone push notifications until the user either approves the request by accident or to stop the notifications.<\/p>\n<p>After gaining access to the account, the attacker quickly changed the devices MFA codes are sent to.<\/p>\n<p>From there, Scattered Spider moved quickly to gain access to sensitive systems on the network, leveraging further social engineering techniques.<\/p>\n<p>\u201cIn some cases, in less than an hour they have been through SharePoint, they\u2019ve captured very important information there,\u201d Glass noted.<\/p>\n<p>In this particular occurrence, the actors gained access to an Okta account and then used Slack for internal spear phishing.<\/p>\n<p>This led to the attacker deploying a remote access tool and the AveMaria remote access trojan (RAT) to steal further credentials. Glass noted that Scattered Spider doesn\u2019t deploy malware and other tools \u201cuntil absolutely necessary.\u201d<\/p>\n<p>Through this process, they stole a LastPass login token, resulting in eight secret access keys being compromised.<\/p>\n<p>At this point, Kroll were able to stop the attack before the threat actors gained access to the victim\u2019s system This would likely have involved scouring the victim\u2019s AWS environment for S3 buckets, exfiltrating sensitive information and deploying ransomware, according to Glass.<\/p>\n<h2><strong>How to Protect Against Scattered Spider Attacks<\/strong><\/h2>\n<p>Experts set out three key areas organizations should focus on to tackle the techniques used by Scattered Spider.<\/p>\n<h3><strong>Identity Based Protection and Response<\/strong><\/h3>\n<p>Bill Sawyer, managing director at Kroll noted that identity is key to Scattered Spider\u2019s entry into organizations, aiming to capture passwords and MFA.<\/p>\n<p>\u201cApplying identity protection that is more mature than username and password is very important,\u201d Sawyer said.<\/p>\n<p>This includes ensuring all software-as-a-service (SaaS) applications are connected to single sign on (SSO).<\/p>\n<p>He also recommended that organizations use number matching MFA codes, as these are harder for attackers to capture.<\/p>\n<p>Detection and response are also heavily linked to identity. For example, security teams should ensure they are able to quickly detect if a user is using tokens in unusual way.<\/p>\n<h3><strong>Update Processes to Tackle Social Engineering<\/strong>\u00a0<\/h3>\n<p>Sawyer also noted that social engineering is a major part of Scattered Spider\u2019s playbook \u2013 from using vishing to impersonate employees to using internal slack channels to request users do things they wouldn\u2019t normally do.<\/p>\n<p>He said it was important to introduce more \u201cfriction\u201d into processes to try and tackle these techniques. This could include making employees go onto a video call or in person to the IT helpdesk to request a password reset.<\/p>\n<h3><strong>Third Party Risk Management<\/strong><\/h3>\n<p>Scattered Spider\u2019s attacks typically involve the targeting of victims\u2019 technology vendors, such as SSO and other identity providers, to gain access to systems.<\/p>\n<p>As a result, organizations must ensure they are working effectively with their vendors on countering any third-party attacks.<\/p>\n<p>Speaking to <em>Infosecurity<\/em> during the Gartner Summit, Debbie Janeczek, global chief information security officer at ING, emphasized the need to have a close relationship with vendors to be quickly alerted to any potential incident.<\/p>\n<p>\u201cI have vendors that will text me and say \u2018hey check your email, we\u2019ve been breached and this is how it affects you\u2019. If you don\u2019t have that partnership, you won\u2019t get the immediate flag that you need to look at something,\u201d she explained.<\/p>\n<p>Janeczek also advised firms to closely monitor disclosed incidents affecting other organizations, understanding the tactics employed and updating defenses accordingly.<\/p>\n<p>\u201cYou have to watch the tactics, techniques and procedures (TTPs) for yourself,\u201d she noted.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Organizations must urgently update their defenses to protect against tactics deployed by the Scattered Spider hacking collective this year, according to experts speaking during the Gartner Security &amp; Risk Management Summit 2025. A particular focus should be placed on identity tools and controls, security processes and third-party risk management to tackle the novel and highly<\/p>\n","protected":false},"author":2,"featured_media":2926,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2925","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2925-38f9ba32-e028-489d-8469-69f8a6aa71a8.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2925-38f9ba32-e028-489d-8469-69f8a6aa71a8-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2925-38f9ba32-e028-489d-8469-69f8a6aa71a8.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2925-38f9ba32-e028-489d-8469-69f8a6aa71a8.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2925-38f9ba32-e028-489d-8469-69f8a6aa71a8.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2925-38f9ba32-e028-489d-8469-69f8a6aa71a8.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2925-38f9ba32-e028-489d-8469-69f8a6aa71a8.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2925-38f9ba32-e028-489d-8469-69f8a6aa71a8.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2925-38f9ba32-e028-489d-8469-69f8a6aa71a8.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2925-38f9ba32-e028-489d-8469-69f8a6aa71a8.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2925-38f9ba32-e028-489d-8469-69f8a6aa71a8-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2925","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2925"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2925\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2926"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2925"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2925"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2925"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}