google and spider on different pc screen below insurance paper board

The infamous cybercrime group known as Scattered Spider (also referred to as UNC3944), which recently targeted various retailers in the U.K. and U.S., has now shifted its focus to major insurance companies, according to the Google Threat Intelligence Group (GTIG).

"Google Threat Intelligence Group has identified multiple intrusions in the U.S. that exhibit all the characteristics of Scattered Spider activity," stated John Hultquist, chief analyst at GTIG, in an email on Monday.

google and spider on different pc screen below insurance paper boardgoogle and spider on different pc screen below insurance paper board

"We are now observing incidents within the insurance sector. Given this actor's history of concentrating on one industry at a time, the insurance sector should remain vigilant, particularly against social engineering schemes aimed at their help desks and call centers."

Scattered Spider is a loosely organized collective known for employing advanced social engineering tactics to infiltrate organizations. In recent months, it is believed that the group has formed an alliance with the DragonForce ransomware cartel following the latter's alleged takeover of RansomHub's infrastructure.

"The group has consistently shown its capability to impersonate employees, mislead IT support teams, and circumvent multi-factor authentication (MFA) using clever psychological strategies," noted SOS Intelligence.

google and spider on different pc screen below IT support team on call and standinggoogle and spider on different pc screen below IT support team on call and standing

Often described as "native English speakers," they are suspected to operate from or have connections to Western countries, which enhances the effectiveness of their phishing and phone-based attacks due to their cultural fluency.

Earlier this month, ReliaQuest reported that Scattered Spider and DragonForce are increasingly targeting managed service providers (MSPs) and IT contractors to gain access to multiple downstream customers through a single breach.

Google-owned Mandiant indicated that these threat actors typically focus on large enterprise organizations, likely aiming for a more substantial financial gain.

Particularly at risk are enterprises with extensive help desks and outsourced IT functions that are vulnerable to social engineering attacks.

To defend against the tactics employed by this cybercrime group, it is advised to strengthen authentication measures, enforce strict identity controls, implement access restrictions to prevent privilege escalation and lateral movement, and train help desk personnel to accurately verify employee identities before resetting accounts.