US Charges Five Scattered Spider Members Tied to Hacking Spree

Sponsor Message

Armed with a complete view of your organization’s software assets, Anchore allows you to find and prevent malicious content from reaching your users. Anchore’s end-to-end, SBOM-powered software supply chain security management platform protects you and your customers at every step, from SBOM monitoring to policy enforcement to remediation. Anchore integrates at every stage of the software development process, from source code to build to runtime. Every package, every library, every version is cataloged and stored. This enables organizations to find out where content is, where it came from, and how it changed.

The US Justice Department unsealed an indictment and complaint against five alleged members of the notorious Scattered Spider gang also known as Oktapus or Octo Tempest accusing them of a hacking spree that targeted dozens of companies and individuals, resulting in the theft of sensitive data and at least $11 million in cryptocurrency.

Noah Urban, 20, of Florida, Joel Evans, 25, of North Carolina, and two Texas residents, Ahmed Elbadawy, 23, and Evans Osiebo, 20, in addition to Tyler Buchanan, 22, of Scotland, were charged for their role in the cyberattacks, which included hacks of at least 29 individuals.

The defendants relied on various fraudulent techniques, including text phishing and SIM swapping, to obtain legitimate credentials from employees so they could gain unauthorized access to their accounts and company networks between late 2021 and the spring of 2023, According to federal prosecutors in California, the defendants relied on various fraudulent techniques, including text phishing and SIM swapping, to obtain legitimate credentials from employees between late 2021 and the spring of 2023 so they could gain unauthorized access to their accounts and company networks.

Scattered Spider, a loosely organized group, has become notorious not only because it uses social engineering techniques to trick IT workers into gaining access to company networks but also because some of its members are based in the US and UK. Cybercrime is often attributed to gangs based in Russia, North Korea, Nigeria, or other distant locales.

Court filings don’t identify the names of the hacking victims, but one of them was Riot Games Inc., according to a person familiar with the matter. Riot Games declined to comment.

Other victims of the defendants’ alleged crimes include four US-based telecommunication companies, two US-based IT outsourcing companies and one US-based cryptocurrency company.

According to prosecutors, roughly $4 million of the stolen cryptocurrency has been recovered. Investigators are still working out the total value of the data theft,

Members of Scattered Spider have also been tied to attacks on MGM Resorts International, Caesars Entertainment, Coinbase, and others. UK police in July arrested a 17-year-old in the West Midlands for his alleged role in Scattered Spider. (Margi Murphy / Bloomberg)

Related: Cyberscoop, Justice Department, The Record, PCMag, Reuters, Axios, TechCrunch, BleepingComputer, crypto.news, Sky News, The Register, Cointelegraph, Techzine, Databreaches.net

The US Justice Department has seized PopeyeTools, a notorious online marketplace dedicated to committing cybercrime, fraud, and selling stolen credit cards.

The department unveiled criminal charges against three alleged administrators: Abdul Ghaffar, Abdul Sami, and Javed Mirza. The two Pakistanis and an Afghan are charged with conspiracy, trafficking, and solicitation related to access devices.

The U.S. also obtained judicial authorization to seize approximately $283,000 in cryptocurrency from an account controlled by Sami. If convicted, Ghaffar, Sami, and Mirza each face up to 10 years in prison for each of the three access device offenses. (Chris Riotta / Bank Info Security)

Related: Justice Department, The Register, Techzine, Databreaches.net

The US Justice Department charged the administrators behind the illegal sports streaming site 247TVStream after one of the men was arrested in New York. 

An indictment unsealed Tuesday charged Noor Nabi Chowdhury, of Cheektowaga, New York, and his brother, Mohammad Rahman, of Dhaka, Bangladesh, with several crimes related to their management of 247TVStream, an online subscription-based service that let users stream live sports and television shows.

The pair allegedly made more than $7 million from the platform. Chowdhury was arrested on Tuesday after a federal grand jury returned an indictment on November 15 charging both men with conspiracy to provide to the public an illicit digital transmission service, providing an illicit digital transmission service, conspiracy to commit wire fraud, and aggravated identity theft.

Chowdhury appeared in the US District Court for the Western District of New York, and an arrest warrant has been issued for Rahman, who has not been located. Chowdhury and Rahman face up to 28 years in prison each for the charges. 

The two ran the site from May 2017 to November 2024, charging users $10 monthly to subscribe to the platform. They obtained the streams by purchasing legitimate accounts and relaying them to their users. (Jonathan Greig / The Record)

Related: Justice Department

According to new information shared by the FBI and Australian law enforcement, despite their Asian-sounding name, the BianLian ransomware actors are likely based in Russia and have multiple Russia-based affiliates.

BianLian has drawn scrutiny for attacks on charities like Save The Children and healthcare firms like Boston Children’s Health Physicians. On Tuesday, the gang took credit for an attack on Amherstburg Family Health Team, a Canadian healthcare company that said it is currently experiencing delays due to technical issues with its phone system. 

The FBI and Australian Cyber Security Centre on Wednesday published an updated advisory on the group, warning that the gang has shifted its tactics and is now moving toward extorting companies with stolen data instead of fully encrypting systems. The group has exclusively focused on exfiltration-based extortion since January.

The advisory notes that, like many ransomware gangs, the likely Russia-based group has used its name “to misattribute location and nationality by choosing foreign-language names, almost certainly to complicate attribution efforts.” 

The group has been seen targeting public-facing applications on Windows and ESXi infrastructure, possibly leveraging the popular ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 to gain initial access.

The agencies also saw BianLian actors exploiting vulnerabilities like CVE-2022-37969, which affects Windows 10 and 11. (Jonathan Greig / The Record)

Related: Cybernews, IC3

South Korea's National Office of Investigation confirmed that North Korean hackers were responsible for the $50 million Upbit cryptocurrency hack in 2019.

The authorities confirmed that the hack, which stole 342,000 Ether, was carried out by North Korean hacker groups Lazarus and Andariel. 

Upbit, a South Korea-based cryptocurrency exchange, reported on Nov. 27, 2019, that the crypto had been stolen from its hot wallet. The ETH was worth about $147 a coin at the time of the theft, making the total amount stolen about $50 million. 

With the recent surge in Ether’s value alongside Bitcoin, the stolen amount would exceed $1 billion today. (Ezra Reguerra / Cointelegraph)

Related: Police.go.kr, YNA.co.kr, Reuters, The Block, BeInCrypto, KoreaJoongAng Daily, NK News, cryptonews, The Cryptonomist, CoinGape

The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform.

Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.

On November 8, 2024, Finastra notified financial institution customers that on Nov. 7, its security team detected suspicious activity on Finastra’s internally hosted file transfer platform. Finastra also told customers that someone had begun selling large volumes of files allegedly stolen from its systems.

“On November 8, a threat actor communicated on the dark web claiming to have data exfiltrated from this platform,” reads Finastra’s disclosure, a copy of which was shared by a source at one of the customer firms.

“There is no direct impact on customer operations, our customers’ systems, or Finastra’s ability to serve our customers currently,” the notice continued. “We have implemented an alternative secure file sharing platform to ensure continuity, and investigations are ongoing.”

However, its notice to customers does indicate that the intruder managed to extract or “exfiltrate” an unspecified volume of customer data. (Brian Krebs / Krebs on Security)

Related: Bleeping Computer, TechCrunch, CSO Online, Forbes, Cybernews, Tech Monitor, Databreaches.net, Dataconomy, SC Media, PCMag

A data breach at an unnamed French hospital exposed the medical records of 750,000 patients after a threat actor gained access to its electronic patient record system.

A threat actor using the nickname 'nears' (previously near2tlg) claimed to have attacked multiple healthcare facilities in France, alleging that they have access to the patient records of over 1,500,000 people.

The hacker claims they breached MediBoard by Software Medical Group, which offers Electronic Patient Record (EPR) solutions across Europe.

Softway Medical Group confirmed that hackers had compromised a MediBoard account. However, it noted that this was not the result of a software vulnerability or misconfiguration on their part but rather through the use of stolen credentials used by the hospital.

Softway Medical Group says they did not directly manage the exposed data but rather hosted by the hospital.

The threat actor began selling what they claimed was access to the MediBoard platform for multiple French hospitals, including Centre Luxembourg, Clinique Alleray-Labrouste, Clinique Jean d'Arc, Clinique Saint-Isabelle, and Hôpital Privé de Thiais.

This access allegedly would let the buyer view the hospitals' sensitive healthcare and billing information, patient records, and the ability to schedule and modify appointments or medical records.

To prove that they gained access to the MediBoard accounts, the hacker also put the records of 758,912 patients from an unnamed French hospital up for sale. (Bill Toulas / Bleeping Computer)

Related: TechRadar

The US Coast Guard is warning that Chinese-made ship-to-shore cranes come with "built-in vulnerabilities" enabling remote access and control, urging operators nationwide to adopt enhanced security protocols.

Cranes manufactured by state-owned Chinese companies account for nearly 80% of all heavy-lift gantry cranes that load and unload container ships at American ports. The Coast Guard said their design could include a remote control.

The notice states, "Additional measures are necessary to prevent a transportation security incident. " It attributes the new requirements "to the prevalence of STS cranes manufactured by PRC companies in the U.S." and "threat intelligence related to the PRC's interest in disrupting US critical infrastructure."

The Coast Guard instructs owners and operators of Chinese-made STS cranes to obtain a copy of the official directive from their local Coast Guard officials, stating the materials contain sensitive security information. A congressional report published in September warned a Chinese company with a major share of the global market of STS port cranes posed "significant cybersecurity and national security vulnerabilities" to the US. (Chris Riotta / Data Breach Today)

Related: Federal Register, Industrial Cyber

New Jersey-based insurer Crum & Forster recently unveiled a policy specifically designed to shield CISOs from personal liability.

The policies, which can be obtained on behalf of a company or through a CISO themselves, can cover consulting done for the organization and subsidiaries and moonlighting or pro bono IT security work.

The plan offers zero deductible defense costs for immediate and effective protection. It also includes broad claims coverage, even in criminal proceedings, ensuring CISOs have robust protection against personal liabilities. It further includes targeted regulatory protection to comply with SEC cyber disclosure rules, helping CISOs limit exposure to civil and criminal liabilities.

Policyholders typically expect costs to range from $3,000 to $5,000 per insured person, depending on coverage limits and deductibles. Additional variables, including whether the company is public or private and the company’s years of experience, can also influence the pricing. (Greg Otto / Cyberscoop)

Related: Insurance Business America

MITRE shared this year's top 25 list of the most common and dangerous software weaknesses, which were behind more than 31,000 vulnerabilities disclosed between June 2023 and June 2024.

To create this year's ranking, MITRE scored each weakness based on its severity and frequency after analyzing 31,770 CVE records for vulnerabilities that "would benefit from re-mapping analysis" and reported across 2023 and 2024, with a focus on security flaws added to CISA's Known Exploited Vulnerabilities (KEV) catalog.

CISA said, "Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle." (Sergiu Gatlan / Bleeping Computer)

Related: CISA, Mitre, Cyber Daily

Best Thing of the Day: That's Five Million Smackeroonies for You!

Starting in 2025, the RSAC Innovation Sandbox Top 10 Finalists will each receive a $5 million investment to drive cybersecurity innovation.

Worst Thing of the Day: Ladies, You Too Can Be a Cybercriminal

According to the SANS Institute, women are starting to fill roles in Russian-speaking cybercrime outfits, traditionally all-male bastions.

Closing Thought