The joint advisory, released by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Royal Canadian Mounted Police (RCMP), Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Australian Federal Police (AFP), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK), provides comprehensive tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as June 2025. A collaboration of international cybersecurity agencies issued an urgent updated advisory on July 29, 2025, highlighting the escalating threat posed by the Scattered Spider cybercriminal group, which has intensified attacks against critical infrastructure and commercial facilities sectors with increasingly sophisticated tactics and new ransomware variants. The group employs multiple attack vectors, including “push bombing” (overwhelming users with MFA notifications until they approve access), subscriber identity module (SIM) swap attacks to hijack phone numbers, and elaborate vishing campaigns enriched with personal information gathered from social media, open-source intelligence, and commercial intelligence tools. The group’s attacks on ESXi environments follow a calculated pattern: initial access through social engineering, privilege escalation to gain administrative control, deployment of remote monitoring tools, and finally, ransomware execution that encrypts core directories and renders virtual machines inoperable. With Scattered Spider’s attacks causing hundreds of millions in damages and their tactics continuing to evolve, the updated advisory serves as a critical resource for organizations seeking to defend against one of today’s most sophisticated cybercriminal operations. “Scattered Spider threat actors typically engage in data theft for extortion and also use several ransomware variants, most recently deploying DragonForce ransomware alongside their usual TTPs,” the advisory states. According to the advisory, the group has been observed encrypting VMware ESXi servers using DragonForce ransomware, a tactic that allows them to cripple entire virtual machine infrastructures with minimal effort. The group has also been observed infiltrating company communications platforms like Slack, Microsoft Teams, and Exchange Online to monitor security response efforts and even participate in incident response calls to understand how security teams hunt them. Unlike traditional cybercriminals who pose as IT helpdesk staff to target employees, Scattered Spider has now reversed this approach, impersonating employees to convince third-party IT and helpdesk personnel to provide sensitive information, reset passwords, and transfer multi-factor authentication (MFA) tokens to attacker-controlled devices. The group, which primarily consists of native English speakers believed to operate from the United States, the United Kingdom, and Canada, has become one of the most sophisticated social engineering operations targeting large enterprises. Recent investigations reveal that Scattered Spider has expanded its targeting to include Snowflake cloud environments, where it can exfiltrate massive volumes of data quickly by running thousands of queries immediately upon access.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 30 Jul 2025 10:50:19 +0000