Charles Carmakal posted the following alert on LinkedIn:
ALERT: Scattered Spider has added North American airline and transportation organizations to their target list. 🚨
Mandiant (part of Google Cloud) is aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider. We recommend that the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts (which can be used by the threat actor to perform self-service password resets), reset passwords, add devices to MFA solutions, or provide employee information (e.g. employee IDs) that could be used for a subsequent social engineering attacks.
Mandiant published hardening guidance a few weeks ago that will help organizations defend against Scattered Spider and other groups that use similar TTPs. This guidance is based on thousands of hours of responding to incidents and successfully eradicating these actors from victim networks.
Scattered Spider has a history of focusing on sectors for a few weeks at a time before expanding their targeting. Regardless if your industry is currently targeted, organizations should review the below guidance to improve their defenses.
See Mandiant’s UNC3944 defense guidance.