This week, we briefed our clients on Scattered Spider, who was involved in high-profile attacks in Europe, and now plan to focus on U.S. retailers.
KEY TAKEAWAYS
Cyber-extortion group Scattered Spider campaign against retail industry shifts focus to the U.S. Learn their TTPs and how to protect against them.
Critical vulnerabilities in Fortinet, Cisco, SonicWall, Google Chrome, and ASUS. Patch now!
Scattered Spider is a cyber-extortion group operating since 2022, and is associated with a larger hacking collective known as "The Com". The group specializes in sophisticated social engineering tactics, and have aligned with various ransomware groups such as ALPHV. They have repeatedly made the news for high-profile attacks, such as hacking and extorting Caesars Entertainment and MGM Resorts in 2023. Last month, they made the news again as they targeted major retailers in the U.K., including Marks & Spencer, Co-op, and Harrods. All 3 of these recent breaches were claimed by DragonForce ransomware, suggesting Scattered Spider is now affiliated with this group. Last week, Google warned that this group and their tactics have now shifted their focus toward U.S. retailers.
Attacking The Human
Scattered Spider is known for their advanced and aggressive social engineering tactics. It is believed that most members of this group reside in the United States and the United Kingdom, giving them an advantage of speaking fluent English. In some cases, they will perform vishing (voice phishing) attacks, posing as IT Helpdesk staff which allows them to obtain employee credentials, or convince employees to install and run remote access software enabling initial remote access. They have also used this ruse to convince employees to share one-time passwords to bypass MFA. In other campaigns, the group has been observed sending repeated MFA push notifications, also known as MFA fatigue, where the bombardment of push notifications entices the user to eventually accept the request. The group also has been known to target weak SMS MFA by conducting SIM-swaps, thereby gaining control over the victim's phone number and MFA prompts.
To assist with these social engineering tactics, Scattered Spider is known to register fake sites impersonating single sign-on (SSO) or HR pages for their targets, such as citrix-okta[.]com or doordash-support[.]com. Research from Silent Push shows that after registering these domains, the phishing pages are up for only 5 to 30 minutes, and never longer than a couple hours. Other keywords used in these phishing domains are "sso", "help", "hr", "corp", "my", "internal", "cdn", and "vpn". In 2025, the group has also been observed using Dynamic DNS, or rented subdomains. They leveraged a domain service at it[.]com, which rents out subdomains such as <yourcompany>.it.[.]com. This is yet another way Scattered Spider can impersonate business websites.
Legitimate Tools
Scattered Spider is known to use legitimate software and living-off-the land techniques to maintain persistence in target environments. The group has been observed leveraging a variety of legitimate remote access tools, such as Fleetdeck.io, Level.io, Ngrok, Pulseway, Screenconnect, Splashtop, Tactical.RMM, Tailscale, and TeamViewer.
Malicious Tools
The group does not restrict themselves to just commercial tools. They have also been observed using common hacking tools such as Mimikatz or secretsdump.py to dump credentials and elevate privileges. Scattered Spider has also been observed leveraging common infostealers such as VIDAR and Raccoon Stealer. In a recent campaign, the group was observed leveraging an updated version of Spectre RAT, which allows for data exfiltration, command execution, and system reconnaissance.
How to Protect Your Organization
Scattered Spider requires a wide range of defenses to protect against. A robust, defense-in-depth approach is the best way to mitigate the impact of these campaigns.
Resources:
Vulnerability Roundup
A critical stack overflow vulnerability, tracked as CVE-2025-32756, affecting Fortinet's FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera devices, is under active exploitation. Successful exploitation allows an unauthenticated remote attacker to execute arbitrary commands via HTTP requests. The flaw affects the following product versions:
The Fortinet advisory disclosed the following IP addresses were used in exploitation attempts:
\*.ip:(198.105.127.124 OR 43.228.217.173 OR 43.228.217.82 OR 156.236.76.90 OR 218.187.69.244 OR 218.187.69.59)
Additional indicators of compromise are listed in the Fortinet advisory. Administrators are urged to patch as soon as possible. Additional workarounds include disabling the HTTP/HTTPS administrative interface.
Cisco recently released a security advisory for their IOS XE Wireless controller. Tracked as CVE-2025-20188 (CVSS 10.0), successful exploitation allows a remote, unauthenticated attacker to upload arbitrary files, perform path traversal, and execute arbitrary commands as root. The advisory also notes that in order for exploitation to be successful, the "Out-of-Band AP Image Download" feature must be enabled. This feature is not enabled by default. The following products are affected:
To determine if the Out-of-Band AP Image Download feature is enabled, use the "show running-config | include ap upgrade" command. If "ap upgrade method https" is returned, then the feature is enabled and the device is vulnerable. Administrators are urged to upgrade to the latest version. If this is not possible, it is recommended to disable the AP Image Download feature.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC
https://thehackernews.com/2025/05/cisco-patches-cve-2025-20188-100-cvss.html
Not to be confused with previously reported vulnerabilities, a new set of high-severity vulnerabilities have been disclosed by SonicWall in their SMA100 appliances. Tracked as CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821, an attacker with access to an SMA SSL-VPN user account can "chain these vulnerabilities to make a sensitive system directory writable, elevate privileges to SMA administrator, and write an executable file to a system directory...resulting in root-level remote code execution" per a report from Rapid7. Administrators are urged to upgrade to version 10.2.1.15-81sv or higher to address these vulnerabilities.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0011
https://www.rapid7.com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/
https://thehackernews.com/2025/05/sonicwall-patches-3-flaws-in-sma-100.html
A new vulnerability in Google Chrome, tracked as CVE-2025-4664, was added to CISA's Known Exploited Vulnerabilities catalog last week. This medium-high severity flaw, if successfully exploited, can allow remote attackers to leak cross-origin data via specially crafted HTML pages. This data can contain authentication parameters and can potentially lead to account takeovers. Administrators are urged to update Chrome browsers to version 136.0.7103.113+ for Windows & Linux and 136.0.7103.114+ for macOS.
https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html
https://www.bleepingcomputer.com/news/security/google-fixes-high-severity-chrome-flaw-with-public-exploit/
https://www.bleepingcomputer.com/news/security/cisa-tags-recently-patched-chrome-bug-as-actively-exploited-zero-day/
Security researcher "MrBruh" discovered a pair of vulnerabilities in ASUS DriverHub tracked as CVE-2025-3462 and CVE-2025-3463. When chained together, an attacker can achieve origin bypass and remote code execution with minimal user interaction. Any computer using an ASUS motherboard runs ASUS's official driver management tool, which is automatically installed the first time they system boots. This service runs in the background using port 53000 and continuously checks for driver updates. This service is intended to reject anything that does not come from 'driverhub.asus.com'. However, due to poor implementation of these checks, any domain that imply includes this string will be accepted, such as 'driverhub.asus.com.attackersite.com'. Additionally, a flaw resides in the UpdateApp endpoint, which allows for the service to download and run executable files from "asus.com" URLs without any user confirmation. An attacker simply needs to trick the user into visiting an attacker-controlled website, and the site can force the vulnerable service to download and execute malicious files on the system. Administrators are urged to patch DriverHub by clicking the "Update Now" button within ASUS DriverHub, or disable DriverHub in the BIOS settings to prevent automatically fetching files.
https://www.bleepingcomputer.com/news/security/asus-driverhub-flaw-let-malicious-sites-run-commands-with-admin-rights/
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.