The Scattered Spider hacking group has caused chaos among retailers, insurers, and airlines in recent months. Researchers warn that its flexible structure poses challenges for defense.
Empty grocery store shelves and grounded planes tend to signal a crisis, whether it’s an extreme weather event, public health crisis, or geopolitical emergency. But these scenes of chaos in recent weeks in the United Kingdom, United States, and Canada were caused instead by financially motivated cyberattacks—seemingly perpetrated by a collective of joyriding teens.
A notorious cybercriminal group often called Scattered Spider is known for using social engineering techniques to infiltrate target companies by tricking IT help desk workers into granting them system access. Researchers say that the group seems to gain expertise about the backend systems commonly used by businesses in a particular industry and then uses this knowledge to hit a cluster of targets before moving on to another sector. The group often deploys ransomware or conducts data extortion attacks once it has compromised its victims.
Amid increasing pressure from law enforcement last year, which culminated in charges and arrests of five suspects allegedly linked to Scattered Spider, researchers say that the group was less active in 2024 and seemed to be attempting to lay low. The group’s escalating attacks in recent weeks, though, have shown that, far from being defeated, Scattered Spider is emboldened once again.
“There are some uniquely skilled actors in Scattered Spider when it comes to social engineering, and they have identified a major gap in our security systems that they’re successfully taking advantage of,” says John Hultquist, chief analyst in Google’s threat intelligence group. “This group is carrying out serious attacks on our critical infrastructure, and I hope that we’re not missing the opportunity to address the most imminent threat.”
Though a number of incidents have not been publicly attributed, an overwhelming spree of recent attacks on UK grocery store chains, North American insurers, and international airlines has broadly been tied to Scattered Spider. In May, the UK’s National Crime Agency confirmed it was looking at Scattered Spider in connection to the attacks on British retailers. And the FBI warned in an alert on Friday that it has observed “the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.” The warning came as North American airlines Westjet and Hawaii Airlines said they had been victims of cybercriminal hacks. On Wednesday, the Australian airline Qantas also said it had been hit with a cyberattack, though it was not immediately clear if this attack was part of the group’s campaign.
In an effort to evade detection, cybercriminals are increasingly turning to “residential proxy” services that cover their tracks by making it look like everyday online activity.
For years, gray-market services known as “bulletproof” hosts have been a key tool for cybercriminals looking to anonymously maintain web infrastructure with no questions asked. But as global law enforcement scrambles to crack down on digital threats, they have developed strategies for getting customer information from these hosts and have increasingly targeted the people behind the services with indictments. At the cybercrime-focused conference Sleuthcon in in Arlington, Virginia, today, researcher Thibault Seret outlined how this shift has pushed both bulletproof hosting companies and criminal customers toward an alternative approach.
Rather than relying on web hosts to find ways of operating outside law enforcement's reach, some service providers have turned to offering purpose-built VPNs and other proxy services as a way of rotating and masking customer IP addresses and offering infrastructure that either intentionally doesn't log traffic or mixes traffic from many sources together. And while the technology isn't new, Seret and other researchers emphasized to WIRED that the transition to using proxies among cybercrminals over the last couple of years is significant.
The open source software easyjson is used by the US government and American companies. But its ties to Russia’s VK, whose CEO has been sanctioned, have researchers sounding the alarm.
Security researchers warn that a popular open source tool maintained by Russian developers could pose significant risks to US national security.
Key Points:
The open source tool easyjson is linked to VK Group, a company run by a sanctioned Russian executive.
easyjson is widely used in the US across various critical sectors including defense, finance, and healthcare.
Concerns are heightened due to the potential for data theft and cyberattacks stemming from this software.
*Recent findings from cybersecurity researchers at Hunted Labs indicate that easyjson, a code serialization tool for the Go programming language, is at the center of a national security alert. This tool, which has been integrated into multiple sectors such as the US Department of Defense, is maintained by a group of Russian developers linked to VK Group, led by Vladimir Kiriyenko. While the complete codebase appears secure, the geopolitical context surrounding its management raises substantial concerns about the potential risks involved.
The significance of easyjson cannot be overstated, as it serves as a foundational element within the cloud-native ecosystem, critical for operations across various platforms. With connections to a sanctioned CEO and the broader backdrop of Russian state-backed cyberattacks, the fear is that easyjson could be manipulated to conduct espionage or potentially compromise critical infrastructures. Such capabilities underscore the pressing need for independent evaluations and potential reevaluations of software supply chains, particularly when foreign entities are involved.
Despite their hacktivist front, CyberAv3ngers is a rare state-sponsored hacker group bent on putting industrial infrastructure at risk—and has already caused global disruption.
The intermittent cyberwar between Israel and Iran, stretching back to Israel's role in the creation and deployment of the Stuxnet malware that sabotaged Iran's nuclear weapons program, has been perhaps the longest-running conflict in the era of state-sponsored hacking. But since Hamas' October 7 attack and Israel's retaliatory invasion of Gaza, a new player in that conflict threatens not just digital infrastructure in Israel but also critical systems in the US and around the world.
The group known as CyberAv3ngers has, in the last year and a half, proven to be the Iranian government's most active hackers focused on industrial control systems. Its targets include water, wastewater, oil and gas, and many other types of critical infrastructure. Despite being operated by members of Iran's Revolutionary Guard Corps, according to US officials who have offered a $10 million bounty for information leading to their arrest, the group initially took on the mantle of a “hacktivist” campaign.
Amid ongoing fears over TikTok, Chinese generative AI platform DeepSeek says it’s sending heaps of US user data straight to its home country, potentially setting the stage for greater scrutiny.
InfoCert, uno dei principali fornitori di identità digitale, ha confermato la violazione annunciata sui forum da criminali informatici. I dati rubati potrebbero essere usati per attacchi phishing mirati
Experts say the catchall term for online fraud furthers harm against victims and could dissuade people from reporting attempts to bilk them out of their money.
The scourge of “malvertising” is nothing new, but the tactic is still so effective that it's contributing to the rise of investment scams and the spread of new strains of malware.
I pirati del gruppo RansomHub pubblicano su Dark Web alcuni dei documenti sottratti e chiedono al club di Serie A di pagare un riscatto
In a first, Russia's APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street.
More than 3 billion phone coordinates collected by a US data broker expose the detailed movements of US military and intelligence workers in Germany—and the Pentagon is powerless to stop it.
A vulnerability categorized as “critical” in a photo app installed by default on Synology network-attached storage devices could give attackers the ability to steal data and worse.
“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.
It's hard enough creating one air-gap-jumping tool. Researchers say the group GoldenJackal did it twice in five years.
Please don’t, actually. But do update your Shimano Di2 shifters’ software to prevent a new radio-based form of cycling sabotage.
#bicycles #cyberattacks #cybersecurity #cycling #fitness #hacks #security
Researchers warn that a bug in AMD’s chips would allow attackers to root into some of the most privileged portions of a computer—and that it has persisted in the company’s processors for decades.
A team of researchers have developed a method for extracting authentication keys out of HID encoders, which could allow hackers to clone the types of keycards used to secure offices and other areas worldwide.
Not only is TikTok’s algorithm promoting Neo-Nazi content, extremist organizations are also using the platform to recruit new members and encourage real-world action.
#content #extremism #media #moderation #nazis #social #tiktok
A security researcher who assisted with the deal says he believes the only copy of the complete dataset of call and text records of “nearly all” AT&T customers has been wiped—but some risks may remain.
A ShinyHunters hacker tells WIRED that they gained access to Ticketmaster’s Snowflake cloud account—and others—by first breaching a third-party contractor.
