FBI Alerts on Scattered Spider’s Growing Attacks Targeting Airlines Through Social Engineering

June 28, 2025
Cybercrime / Vulnerability

The U.S. Federal Bureau of Investigation (FBI) has reported that the notorious cybercrime group Scattered Spider is expanding its focus to the airline industry. The agency is actively collaborating with aviation and industry partners to address these threats and assist affected organizations. “These perpetrators exploit social engineering tactics, often impersonating employees or contractors to trick IT help desks into granting unauthorized access,” the FBI stated on X. “Their methods frequently include bypassing multi-factor authentication (MFA), such as persuading help desk services to add unauthorized MFA devices to compromised accounts.” Scattered Spider is also known to target third-party IT providers, increasing the risk of attacks on trusted vendors and contractors. These incidents often lead to data theft, extortion, and ransomware. In a statement released…

FBI Issues Alert on Scattered Spider’s Growing Attacks Against Airlines Through Social Engineering

On June 28, 2025, the Federal Bureau of Investigation (FBI) issued a warning regarding the cybercrime group known as Scattered Spider, which has notably expanded its attack vector to include the aviation sector. In light of this concerning trend, the FBI is collaborating with partners in the airline industry to address these threats and assist affected organizations.

Scattered Spider employs sophisticated social engineering tactics, often posing as employees or contractors to manipulate IT help desk staff into granting unauthorized access. Such tactics frequently enable these adversaries to circumvent multi-factor authentication (MFA) protocols. The FBI elaborated in their communication that attackers may persuade help desk personnel to register unauthorized MFA devices on compromised accounts, effectively bypassing one of the primary defenses against unauthorized access.

The targeting of third-party IT service providers represents a particularly alarming strategy employed by Scattered Spider. By infiltrating these crucial vendors, the group can gain entry to large organizations, thereby expanding their threat landscape. This method not only undermines the confidentiality of sensitive data but also puts trusted contractors at increased risk of exploitation.

The impact of these attacks often manifests in data breaches, extortion demands, and ransomware deployment, significantly affecting affected businesses’ operations and reputations. The FBI’s alert aims to foster awareness in the airline industry and encourages organizations to enhance their security protocols in response to these emerging threats.

In analyzing the tactics used by Scattered Spider, it is pertinent to reference the MITRE ATT&CK framework, which categorizes adversary behaviors in relation to their operational objectives. Initial access could be facilitated through social engineering, utilizing phishing schemes or other methods to exploit human vulnerabilities. The persistence of the threat may be established through the creation of backdoors or the manipulation of legitimate access permissions.

Privilege escalation techniques may also be involved, enabling these actors to gain elevated access rights within compromised networks, further exacerbating the situation. This multifaceted approach underscores the need for continuous vigilance and robust security measures within the airline sector and beyond.

Organizations are advised to reassess their cybersecurity frameworks, focusing on employee training and implementing rigorous verification processes for MFA setups. As Scattered Spider’s tactics evolve, it is imperative that companies remain alert to the risks posed by social engineering and take proactive steps to fortify their defenses against such sophisticated cyber threats.

Source link

Related Posts

Severe RCE Vulnerabilities in Cisco ISE and ISE-PIC Enable Unauthenticated Attackers to Obtain Root Access

Jun 26, 2025
Vulnerability, Network Security

Cisco has issued updates to resolve two critical security vulnerabilities in the Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that may allow unauthenticated attackers to execute arbitrary commands with root privileges. These vulnerabilities, identified as CVE-2025-20281 and CVE-2025-20282, both carry a maximum CVSS score of 10.0. Here’s a detailed overview of the vulnerabilities:

  • CVE-2025-20281: A remote code execution flaw impacting Cisco ISE and ISE-PIC versions 3.3 and later, enabling an unauthenticated attacker to execute arbitrary code on the system as root.

  • CVE-2025-20282: A remote code execution vulnerability in Cisco ISE and ISE-PIC version 3.4 that allows an unauthenticated attacker to upload arbitrary files to the device and execute them as root.

Cisco has indicated that CVE-2025-20281 stems from inadequate…

Major Vulnerability in Open VSX Registry Poses Supply Chain Risks for Millions of Developers

On June 26, 2025, cybersecurity analysts revealed a serious flaw in the Open VSX Registry (“open-vsx[.]org”), which, if exploited, could allow attackers to seize control of the entire Visual Studio Code extensions marketplace. This represents a significant supply chain threat. “This vulnerability gives attackers total authority over the extensions marketplace and, consequently, over millions of developer machines,” stated Oren Yomtov, a researcher at Koi Security. “By leveraging a CI issue, a malicious actor could release harmful updates to every extension available on Open VSX.” After responsibly disclosing the issue on May 4, 2025, the maintainers proposed several fixes, culminating in a final patch on June 25. The Open VSX Registry, an open-source alternative to the Visual Studio Marketplace, is maintained by the Eclipse Foundation and is used by various code editors, including Cursor, Windsurf, Google Cloud Shell Editor, and Gitpod.

MOVEit Transfer Under Heightened Threat as Scanning Activity Surges and CVE Vulnerabilities Come Under Fire

Network security firm GreyNoise has reported a “notable surge” in scanning activity targeting Progress MOVEit Transfer systems since May 27, 2025, indicating that cybercriminals may be gearing up for a new mass exploitation campaign or probing for unpatched vulnerabilities. MOVEit Transfer, widely utilized by businesses and government agencies for secure file sharing, is a prime target due to its handling of sensitive data.

“Prior to this date, scanning was minimal—typically fewer than 10 IP addresses were observed daily,” the firm stated. “However, on May 27, that number skyrocketed to over 100 unique IPs, followed by 319 on May 28.” Since then, the volume of scanning IPs has remained intermittently elevated, fluctuating between 200 and 300 daily, marking a “significant deviation” from normal patterns. GreyNoise reports that as many as 682 unique IPs have been flagged in connection with this increased activity.

Mustang Panda’s Tibet-Focused Cyber Espionage Campaign Utilizes PUBLOAD and Pubshell Malware

Jun 27, 2025
Vulnerability / Cyber Espionage

A China-linked threat group known as Mustang Panda has been identified in a new cyber espionage operation targeting the Tibetan community. The spear-phishing attacks capitalize on Tibet-related themes, including the 9th World Parliamentarians’ Convention on Tibet (WPCT), China’s education policy in the Tibet Autonomous Region (TAR), and recent publications by the 14th Dalai Lama, as reported by IBM X-Force. Their cybersecurity division noted the campaign earlier this month, which involved the deployment of PUBLOAD, a known malware associated with Mustang Panda. They track this threat actor under the alias Hive0154. The attack vectors utilize Tibet-themed enticements to deliver a harmful archive containing a seemingly harmless Microsoft Word file, alongside articles from Tibetan websites and images from WPCT, ultimately tricking users into executing a disguised executable. This executable has been observed in previous Mustang Panda attacks…