The agencies warn that Scattered Spider is repurposing legitimate, publicly-available remote access tunneling tools, now including Teleport.sh and AnyDesk, to easily bypass security safeguards. Increasingly, it is searching for an organization’s Snowflake access to “[exfiltrate] large volumes of data in a short time, often running thousands of queries immediately,” according to CISA.
The group has been known to exfiltrate data after gaining access to a network, then threatening to release it; recently, this exfiltrated data has been moved to US-based data centers, including Amazon S3, then encrypted. Members then communicate with targeted organizations via TOR, Tox, email, and other encrypted apps.
It is using domains including targetsname-cms[.]com, targetsname-helpdesk[.]com, and oktalogin-targetcompany[.]com. CISA explained that the targeted organization’s name is often appended with either a -helpdesk or a type of SSO to add credibility.
