SIM-Swapper, Scattered Spider Hacker Gets 10 Years

https://krebsonsecurity.com/2025/08/sim-swapper-scattered-spider-hacker-gets-10-years/

#JudgeHarveyE.Schlesinger #Ne'er-Do-WellNews #NoahMichaelUrban #ScatteredSpider #News4Jax.com #ScatterSwine #SIMSwapping #Mailchimp #StarFraud #DoorDash #lastpass #T-Mobile #KingBob #Oktapus #UNC3944 #TheCom #Twilio #Plex #Sosa

It's been a bit quiet over the last 24 hours, but we've got a crucial update on a persistent threat actor. Let's dive in:

Scattered Spider's VMware ESXi Hacking Spree 🕷️

- The notorious Scattered Spider group (also known as UNC3944, Octo Tempest, 0ktapus) is aggressively targeting VMware ESXi hypervisors across US retail, airline, transportation, and insurance sectors.
- Their attacks rely heavily on sophisticated social engineering, impersonating employees and privileged users to IT help desks for password resets, gaining initial access without exploiting vulnerabilities.
- Once inside, they escalate privileges to control vCenter Server Appliance (vCSA), enable SSH on ESXi hosts, perform "disk-swap" attacks to steal NTDS.dit, wipe backups, and ultimately deploy ransomware, often completing the entire chain in just hours. Google Threat Intelligence Group (GTIG) advises hardening vSphere, implementing phishing-resistant MFA, centralising logs, and using immutable, air-gapped backups.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/scattered-spider-is-running-a-vmware-esxi-hacking-spree/

#CyberSecurity #ThreatIntelligence #ScatteredSpider #UNC3944 #VMware #ESXi #Ransomware #SocialEngineering #InfoSec #IncidentResponse #CyberAttack

Scattered Spider hackers shift focus to aviation, transportation firms

If you work in aviation or transportation, LISTEN

• Scattered Spider is actively targeting your industry.
• They are using trycloudflare.com to deliver Chisel, a FOSS encrypted reverse proxy.

ACTION ITEMS:

• block trycloudflare.com by FQDN.
• make sure you are using IPS or app signatures on your firewalls to detect the chisel traffic.

NOTE: Chisel is encrypted, so you need to be doing full SSL inspection (TLSI) to effectively detect and block the app.

Additional Resources:

• chisel repo
• CISA chisel overview
• Scattered Spider CISA Advisory

Please don't let this fuck up your 4th.

#ScatteredSpider #UNC3944 #Chisel #ChiselMalware #ThreatIntel #CyberSecurity

We were warned this would happen. And now here we are.

United Natural Foods ($UNFI) has had to switch off systems after a cyberattack, crippling its operations. This is a huge deal, because #UNFI is a big part of the grocery distribution network in the U.S. and Canada.

Once again, it looks like the work of #UNC3944, a/k/a #ScatteredSpider. In #SBBlogwatch, we hoard canned goods.

@TheFuturumGroup @TechstrongGroup @SecurityBlvd: https://securityboulevard.com/2025/06/united-natural-foods-hack-richixbw/?utm_source=richisoc&utm_medium=social&utm_content=richisoc&utm_campaign=richisoc

CISOs should fortify help desk and employee defenses, enhance intrusion detection and tracking capabilities, and recognize that paying ransoms is not a viable strategy.

https://ciso2ciso.com/how-cisos-can-defend-against-scattered-spider-ransomware-attacks-source-www-csoonline-com/

#ScatteredSpider #UNC3944 #Starfraud #ScatterSwine #MuddledLibra #OctoTempest #0katpus.

Three major British retailers recently attacked, resulting in huge damage. Now we see the self-same scum spotlighting stores in the States.

Google’s Mandiant threat intelligence team issued this dire warning yesterday. The scrotes appear to be #UNC3944, a/k/a #ScatteredSpider, a casual confederacy of criminals wielding #DragonForce #ransomware.

“Shields up, U.S. retailers,” quipped Mandiant’s chief analyst. In #SBBlogwatch, we hail the Kobayashi Maru.

@TheFuturumGroup @TechstrongGroup @SecurityBlvd: https://securityboulevard.com/2025/05/scattered-spider-us-retail-google-richixbw/?utm_source=richisoc&utm_medium=social&utm_content=richisoc&utm_campaign=richisoc