Implications of Aviation and Transportation Sector Disruptions Caused by Sporadic Arachnid Presence
In the ever-evolving landscape of cyber threats, a new collective known as Scattered Spider, also referred to as UNC3944, Octo Tempest, Scatter Swine, Star Fraud, and 'the Com', has emerged as a significant concern for organizations worldwide. This financially motivated hacking group has been active since May 2022, targeting a wide range of industries, including aviation, hospitality, retail, insurance, finance, technology, entertainment, telecommunications, gaming, and cryptocurrency.
Scattered Spider has recently evolved its tactics, moving from SIM-swapping to advanced social engineering, Multi-Factor Authentication (MFA) bombing, and ransomware via affiliates like ALPHV and DragonForce. This evolution poses a serious threat, as it can compromise servers, enabling attackers to extract credentials, deploy malware, and move laterally within networks, potentially leading to data breaches or ransomware attacks.
One of the vulnerabilities that Scattered Spider has exploited is CVE-2015-2291, which can enable local attackers to execute arbitrary code with kernel privileges or cause a denial of service. Given the active nature of this threat, organizations are advised to prioritize patching this vulnerability, especially considering that it is listed in the CISA's Known Exploited Vulnerabilities (KEV) Catalog due to active exploitation incidents.
Another vulnerability that has been widely exploited by ransomware groups is CVE-2024-37085, an authentication bypass vulnerability impacting VMware ESXi and VMware Cloud Foundation. Attackers with sufficient Active Directory (AD) permissions can exploit this vulnerability to gain unauthorized full administrative access to an ESXi host. Recommended solutions for this vulnerability include upgrading to VMware ESXi 8.0 Update 3 (ESXi80U3-24022510) or VMware Cloud Foundation 5.2 as soon as possible, applying Broadcom's recommended configuration workarounds, removing unnecessary exposure of ESXi servers to the public internet, and implementing Microsoft's mitigation guidance.
Scattered Spider has also targeted the ForgeRock Access Manager (AM) with the critical vulnerability CVE-2021-35464. This vulnerability allows unauthenticated attackers to execute arbitrary code remotely on affected servers. Recommended solutions for this vulnerability include upgrading affected ForgeRock AM versions to 7.0 or later, applying ForgeRock's workaround, limiting internet access to vulnerable servers, monitoring logs for exploitation indicators, and ensuring the application runs with minimal privileges.
In an analysis of 600,000 assets across anonymized Qualys airline-industry customer organizations, the following CVEs were found to be actively exploited by Scattered Spider: CVE-2015-2291, CVE-2021-35464, CVE-2024-37085, and their related QIDs.
It is essential for organizations to take proactive measures to protect their assets. Qualys offers solutions to rapidly identify and prioritize vulnerabilities related to Scattered Spider's known exploits. This includes using Qualys VMDR (Vulnerability Management, Detection and Response) to scan the environment for specific QIDs tied to Scattered Spider's known exploits, utilizing TruRisk scoring to prioritize remediation, and monitoring internet-facing exposure using Qualys' CyberSecurity Asset Management (CSAM) to discover and classify all internet-facing assets and detect misconfigurations and high-risk services.
Unfortunately, the threat posed by Scattered Spider is not limited to the cyber realm. In 2025, the group targeted multiple British retail sector companies, including Marks & Spencer, Co-op, and Harrods, causing significant financial damage and breaches of personal data.
As the cyber threat landscape continues to evolve, it is crucial for organizations to stay vigilant and proactive in their security measures. By understanding the tactics and vulnerabilities exploited by groups like Scattered Spider, organizations can better protect themselves and their assets.
Read also:
- East Asian countries should be cautious, as scamming operations are moving towards the region - it's high time we stay vigilant. - Phar Kim Beng
- Senators pressure nominated leader of CISA on election security concerns, focus of agency highlighted
- Digital passwords come under pressure as major tech companies move towards strengthened security measures
- Blockaid's security services now integrated into D'CENT Wallet, enhancing Web3's safety measures.
