{ "name": "New Campaigns from Scattered Spider", "slug": "new-campaigns-from-scattered-spider", "description": "Scattered Spider, a financially motivated threat actor group, has been conducting aggressive phishing campaigns targeting various industries, particularly the finance and insurance sectors. Their tactics involve creating convincing lookalike domains and login pages to lure victims into revealing credentials. Defenders should remain vigilant, monitor for suspicious domains, and educate employees about identifying phishing attempts.", "published": "2024-05-10T06:33:35+00:00", "created_at": "2024-05-10T06:33:35+00:00", "modified_at": "2024-05-10T06:55:38+00:00", "created_at_opencti": "2024-05-10T06:33:35+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-05-05", "2024-05-06", "2024-05-07", "2024-05-08", "2024-05-09", "2024-05-10", "credential-theft", "lookalike domains", "phishing", "social engineering", "telecom targeting" ], "related_entities": { "observables": [ { "id": "", "name": "login.suniife.com" }, { "id": "", "name": "zendesklt.com" }, { "id": "", "name": "zen-sso.com" }, { "id": "", "name": "yourbbt.com" }, { "id": "", "name": "walmartworkspace.com" }, { "id": "", "name": "walmartsso.com" }, { "id": "", "name": "vzapps-vzn.com" }, { "id": "", "name": "vz-hr.com" }, { "id": "", "name": "uscellularhr.com" }, { "id": "", "name": "uscellular-sso.com" }, { "id": "", "name": "uscellular-hr.com" }, { "id": "", "name": "uscell.net" }, { "id": "", "name": "usccplus.com" }, { "id": "", "name": "uscchr.com" }, { "id": "", "name": "unumhr.com" }, { "id": "", "name": "unum-hr.com" }, { "id": "", "name": "truecorphr.net" }, { "id": "", "name": "transamerica-hr.com" }, { "id": "", "name": "thrivent-hr.com" }, { "id": "", "name": "telesignhr.com" }, { "id": "", "name": "teiekom.net" }, { "id": "", "name": "synchronyfinanciai.com" }, { "id": "", "name": "supporthub-iqor.com" }, { "id": "", "name": "stargate-sso.com" }, { "id": "", "name": "squarespace-hr.com" }, { "id": "", "name": "square-sso.com" }, { "id": "", "name": "singtei.net" }, { "id": "", "name": "sinchdev.com" }, { "id": "", "name": "sharing-folders.com" }, { "id": "", "name": "sec-sso.net" }, { "id": "", "name": "roblox-hrs.com" }, { "id": "", "name": "recurlysso.com" }, { "id": "", "name": "realogy-hr.com" }, { "id": "", "name": "rbxhr.net" }, { "id": "", "name": "podium-hr.com" }, { "id": "", "name": "orange-sso.com" }, { "id": "", "name": "on-sinch.com" }, { "id": "", "name": "nfp-hr.com" }, { "id": "", "name": "newyorklifehr.com" }, { "id": "", "name": "myworkspaceinfo.com" }, { "id": "", "name": "my-tsl.net" }, { "id": "", "name": "my-tsl.com" }, { "id": "", "name": "mercury-hr.com" }, { "id": "", "name": "mutualofomaha-hr.com" }, { "id": "", "name": "linkedinsso.com" }, { "id": "", "name": "klavlyo.com" }, { "id": "", "name": "klaviyo-hr.com" }, { "id": "", "name": "infobbt.com" }, { "id": "", "name": "iliad-sso.com" }, { "id": "", "name": "ibexgiobal.com" }, { "id": "", "name": "hanover-hr.com" }, { "id": "", "name": "grubhubsso.com" }, { "id": "", "name": "gitlabsso.com" }, { "id": "", "name": "gitlabhr.com" }, { "id": "", "name": "gemini-sso.com" }, { "id": "", "name": "freshdesksso.com" }, { "id": "", "name": "foundever-sso.com" }, { "id": "", "name": "fireblocks-sso.com" }, { "id": "", "name": "fidelitysso.com" }, { "id": "", "name": "eclerx-sso.com" }, { "id": "", "name": "costsso.com" }, { "id": "", "name": "desksso.com" }, { "id": "", "name": "corporate-pnc.com" }, { "id": "", "name": "corporate-huntington.com" }, { "id": "", "name": "corporate-ally.com" }, { "id": "", "name": "corp-foundever.com" }, { "id": "", "name": "connect-sso.com" }, { "id": "", "name": "corp-cox.com" }, { "id": "", "name": "connect-asurion.net" }, { "id": "", "name": "cofelyvision.com" }, { "id": "", "name": "clicksend-staging.com" }, { "id": "", "name": "cinfin-hr.com" }, { "id": "", "name": "cgsinchr.com" }, { "id": "", "name": "cellularsso.com" }, { "id": "", "name": "cellularsaies.com" }, { "id": "", "name": "cellularhr.com" }, { "id": "", "name": "bn-sso.com" }, { "id": "", "name": "block-sso.com" }, { "id": "", "name": "bell-hr.com" }, { "id": "", "name": "bbtcorp.net" }, { "id": "", "name": "athene-usa.com" }, { "id": "", "name": "asurion-idp.com" }, { "id": "", "name": "assurionsso.net" }, { "id": "", "name": "applesso.com" }, { "id": "", "name": "amica-hr.com" }, { "id": "", "name": "ally-hr.com" }, { "id": "", "name": "allstate-hr.com" }, { "id": "", "name": "aflac-hr.com" }, { "id": "", "name": "activesso.com" }, { "id": "", "name": "activecampaignhr.com" }, { "id": "", "name": "activecampaign-hr.com" }, { "id": "", "name": "charter-vpn.com" }, { "id": "", "name": "chartervpn.com" }, { "id": "", "name": "bbthour.com" }, { "id": "", "name": "my-twilio.com" }, { "id": "", "name": "bbt-work.com" }, { "id": "", "name": "victrasso.com" }, { "id": "", "name": "actlvecampaign.net" }, { "id": "", "name": "asurionsso.com" }, { "id": "", "name": "connect-cox.com" }, { "id": "", "name": "bbtvpn.com" }, { "id": "", "name": "klaviyocorp.net" }, { "id": "", "name": "podiumsso.com" }, { "id": "", "name": "intercomsso.net" }, { "id": "", "name": "hubsso.net" }, { "id": "", "name": "cashsso.com" }, { "id": "", "name": "ssotelnyx.com" }, { "id": "", "name": "postmarksso.com" }, { "id": "", "name": "freshworksso.com" }, { "id": "", "name": "bbtemps.com" }, { "id": "", "name": "freshworks-sso.net" }, { "id": "", "name": "trustsso.com" }, { "id": "", "name": "telnyxsso.com" }, { "id": "", "name": "ssopodium.com" }, { "id": "", "name": "bbt-hr.com" }, { "id": "", "name": "telnyx-sso.com" }, { "id": "", "name": "bbtplus.com" }, { "id": "", "name": "workatbbt.com" } ], "intrusion_sets": [ { "id": "2f1d4ef5-35e0-4142-82df-ef59094d9916", "name": "Scattered Spider", "slug": "scattered-spider" } ], "attack_patterns": [ { "id": "de962562-1926-4afc-96c0-28fda6912ba5", "name": "T1602" }, { "id": "974c830f-44ef-4037-a4f8-c0aa492a78de", "name": "T1600" }, { "id": "75702b35-b790-4504-a1e0-7829e76f22e9", "name": "T1585" }, { "id": "2969e5a7-1049-4df8-b1ba-8a0675de6b94", "name": "T1589" }, { "id": "6babd5aa-5112-4f14-a660-60d756a65d6d", "name": "T1586" }, { "id": "7616ff60-a18f-4663-9824-b889aa01c8ce", "name": "T1588" }, { "id": "74d5f31c-5e2d-4aed-b8b9-4fabdde76dfa", "name": "T1598" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2024-22024" } ], "others": [ { "id": "", "name": "Retail" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Insurance" }, { "id": "", "name": "Finance" }, { "id": "", "name": "Telecommunications" } ] }, "external_refs": [ "https://www.cyberresilience.com/threatonomics/resilience-threat-researchers-identify-new-campaigns-from-scattered-spider/", "https://otx.alienvault.com/pulse/663ddbdf6d0f3e9aba3f095a" ] }