Oh, Great.three Notorious Cybercrime Gangs Appear To Be Collaborating

Prolific cybercrime collectives Scattered Spider, ShinyHunters, and Lapsus$ appear to be working together to break into businesses’ networks, steal their data, and force an extortion payment.

The “Scattered LAPSUS$ Hunters” [Telegram] channel appeared last Friday. Posts include partial breach samples, vendor lists, and a heavy dose of trolling about old and new claims of successful data theft. Messages mentioned raids on Victoria’s Secret, customer info lifted from Gucci, and an attack on US department store chain Neiman Marcus that may be connected to the 2024 theft of its customer database. Other chats included screen shots of negotiations with Chanel, and claims of intrusions at the US Department of Homeland Security and government agencies in England, France, Brazil, and India.

Channel members also claimed to be developing a ransomware-as-a-service (RaaS) operation named “ShinySpider” or “ShinySp1d3r,” and bragged that their data-locked malware could hit encryption speeds of 1 GB per second: “OUR RaaS IS ADAPTIVE BASED ON VICTIM RESOURCES – THE FASTEST WE’VE SEEN IS ~1/GBps,” they claimed, adding: “Fk LockBit and DragonForce, yayayaya!.”

By Monday, the channel had disappeared, but not before the channel seemed to accomplish what it set out to do: sow chaos while boosting the brands of its participants.

As threat intel provider Falcon Feeds’ founder and CEO Nandakishore Harikumar wrote in a blog shared with The Register ahead of its publication, “Scattered LAPSUS$ Hunters represents a new phase in cyber extortion where clout and chaos are as much the objectives as money.”

Scattered LAPSUS$ Hunters represents a new phase in cyber extortion where clout and chaos are as much the objectives as money

Meanwhile, DataBreaches opined: “They are angry kids who were somewhat impulsively revealing things last night instead of having and adhering to an organized plan. All that said, they really do come across as unstoppable at this point.”

The channel’s brief life and instant notoriety add weight to the theory that the band of miscreants, believed to be primarily teens and 20-something males located in the US, Canada, and Europe, are working together.

“All the evidence we have, not only ReliaQuest but also crowd-sourced, all fingers are pointing at some sort of alignment between ShinyHunters and Scattered Spider,” ReliaQuest Director of Threat Research Brandon Tirado told The Register.

“It seems like Scattered Spider, that cluster of activity, is acting as an initial access broker for the ShinyHunters group in particular, and they are all children of the greater collective, which is The Com,” Tirado said.

Who’s who in chaotic cybercrime?

ShinyHunters has been around in some form since 2020. The group is best known for high-profile attacks on Snowflake customers’ databases, Ticketmaster, and AT&T. Some of its members, including French national Sebastien Raoult, have been imprisoned in the US, and Parisian cops arrested another in June.

That same month, however, ShinyHunters broke into several companies’ Salesforce instances, with suspected victims including fashion houses Dior and Chanel, jewelry retailer Pandora, insurance company Allianz, and Google.

This latest wave of ShinyHunters attacks moved beyond its usual credential theft, database exploitation, and extortion attacks and included Scattered Spider’s well-worn techniques: social engineering campaigns impersonating IT support staff to trick employees into authorizing access to fake “connected apps” masquerading as legitimate tools – in this case, Salesforce – thus allowing the thieves to steal sensitive business data.

Scattered Spider is another SIM-swapping turned social-engineering and ransomware group. It went through a similar wringer last year when law enforcement arrested at least seven of its members following the high-profile Law Vegas casino digital heists.

Those arrests slowed their attacks for a while, but then Scattered Spider roared back into action with several high-profile retail intrusions in April.

Lapsus$, a chaotic crew of teens and young people, undertook a crime spree in 2021 and 2022 when it broke into and attempted to extort telecoms giant BT, Nvidia, Microsoft, Samsung, Vodafone, fintech firm Revolut, and Okta.

The crew’s tactics included phone-based social engineering, SIM swapping, and even paying employees of target organizations for access to credentials and multi-factor authentication (MFA) codes.

In March 2022, London cops arrested and then released seven people, aged 16 to 21, for their alleged roles in the digital intrusions and extortion attempts. Police re-arrested and charged two of the teens for their involvement with the cybercrime gang later that month.

Finally, The Com is a loosely knit band of primarily English-speaking miscreants that is made up of several interconnected networks of hackers, SIM swappers, and extortionists, with some of its subgroups offering real-life violent crime for a price such as swat-for-hire and violence-as-a-service.

Scattered Spider is acting as an initial access broker for the ShinyHunters group in particular, and they are all children of the greater collective, which is The Com

“Connecting the infrastructure that the Lapsus$ group was utilizing is matching fingerprint, as far as artifacts, observables, that have made connections with the more recent Scattered Spider activity and now ShinyHunters,” Tirado said. “I think it’s safe to assume that maybe that’s always how The Com has operated. Rather than it being a newer thing, it’s truly a larger community, they all have their own niche skill sets, and they can call on a friend to go get whatever they need done.”

Similar domain formatting, sectors targeted

On Tuesday, ReliaQuest published an analysis of domain registration patterns and infrastructure linked to ShinyHunters, which are suspected to have been used in the Salesforce attacks over the past couple of months.

In a previous June report, ReliaQuest had detailed how Scattered Spider frequently registered domains with keywords “okta,” “helpdesk,” and “sso,” typically formatted with hyphens: SSO-company[.]com.

In Tuesday’s analysis, ReliaQuest revealed a cluster of domains targeting high-profile organizations, including alleged ShinyHunters victims, and following a similar format:

• ticket-lvmh[.]com
• ticket-dior[.]com
• ticket-louisvuitton[.]com

These domains were registered between June 20 and June 30, shortly before Louis Vuitton reportedly became aware of the intrusion on July 2. In addition to using a similar format, these domains were also registered using infrastructure associated with phishing kits commonly used to host single sign-on (SSO) login pages. This is also a “calling card of Scattered Spider’s previous SSO-themed attacks spoofing brands like Okta,” ReliaQuest reported.

Then there are the overlapping sectors and timelines between Scattered Spider and ShinyHunters. In April and May, when Scattered Spider attacked UK retailers Marks & Spencer, The Co-Op, and Harrods, ShinyHunters reportedly sacked Tiffany, Dior, and Adidas.

In June and July, Scattered Spider broke into insurance companies Eerie Indemnity Group and Aflac, while researchers suspected ShinyHunter hit Allianz.

Later that month, threat hunters warned Scattered Spider had moved on to target aviation businesses while ShinyHunters allegedly breached Qantas, Air France, and KLM.

“The synchronized timing of these attacks strongly supports the likelihood of coordinated efforts between the two groups,” the analysis noted.

While many threat intel firms have focused on these gangs attacking one sector at a time, ReliaQuest’s report and earlier Check Point research suggest that the criminals are more likely targeting trusted enterprise applications such as ServiceDesk, Okta, and Salesforce used by major brands.

“For 97 percent of businesses, public and private or government, the biggest threat that they should be worried about is cyber crime,” Tirado said. “I do believe Scattered Spider and the collective of The Com in general should be higher on the threat radar, but most importantly, their playbook is pretty well documented and really not as sophisticated as much people think.”

It starts out with a helpdesk call, and that’s why “that human element that is so critical, has always been the weakest link in security,” Tirado added. While Scattered Spider happens to be really good at that piece, “threat actors are monkey see, monkey do.”

To prevent these types of social-engineering attacks, companies should train their help desk staff to enforce strong identity verification processes and enforce phishing-resistant multifactor authentication, Tirado suggests.

“Before you try to get into the cool, sexy, attribution, tracking, clustering,” he said, “Focus on the thing that is less trivial to change, which is the behavior that’s been so successful with social engineering.” ®

Original Source