CyberSecurity news
FlagThis - #google
|
info@thehackernews.com (The@The Hacker News
//
Scattered Spider, a cybercrime collective known for targeting U.K. and U.S. retailers, has shifted its focus to the U.S. insurance industry, according to warnings issued by Google Threat Intelligence Group (GTIG). The group, tracked as UNC3944, is known for utilizing sophisticated social engineering tactics to breach organizations, often impersonating employees, deceiving IT support teams, and bypassing multi-factor authentication (MFA). Google is urging insurance companies to be on high alert for social engineering schemes targeting help desks and call centers, emphasizing that multiple intrusions bearing the hallmarks of Scattered Spider activity have already been detected in the U.S.
GTIG's warning comes amidst a recent surge in Scattered Spider activity, with multiple U.S.-based insurance companies reportedly impacted over the past week and a half. The threat group has a history of targeting specific industries in clusters, with previous attacks impacting MGM Resorts and other casino companies. Security specialists emphasize that Scattered Spider often targets large enterprises with extensive help desks and outsourced IT functions, making them particularly susceptible to social engineering attacks. The group is also suspected of having ties to Western countries. The shift in focus towards the insurance sector follows Scattered Spider's previous campaigns targeting retailers, including a wave of ransomware and extortion attacks on retailers and grocery stores in the U.K. in April. To mitigate against Scattered Spider's tactics, security experts recommend enhancing authentication, enforcing rigorous identity controls, implementing access restrictions, and providing comprehensive training to help desk personnel to effectively identify employees before resetting accounts. One insurance company, Erie Insurance, has already reported a cyberattack earlier this month, although the perpetrators have not yet been identified.
Share:
References :
Classification:
info@thehackernews.com (The@The Hacker News
//
GreyNoise has issued a warning regarding a coordinated brute force campaign targeting Apache Tomcat Manager interfaces. On June 5, 2025, their threat intelligence system detected a significant surge in malicious activity, specifically brute-force and login attempts against these interfaces. This spike prompted GreyNoise to issue tags for "Tomcat Manager Brute Force Attempt" and "Tomcat Manager Login Attempt," both registering well above their usual baseline volumes, suggesting a deliberate and widespread effort to identify and exploit exposed Tomcat services.
295 unique IP addresses were observed engaging in brute-force attempts, while 298 IPs conducted login attempts. Almost all were classified as malicious. Much of the activity originated from infrastructure hosted by DigitalOcean. The concentrated nature of these attacks, focusing primarily on Tomcat services, indicates a coordinated campaign rather than random, opportunistic scanning. GreyNoise believes that such activity serves as an early warning sign of future exploitation. Organizations are urged to immediately block the malicious IPs identified by GreyNoise and to strengthen their security posture regarding exposed Tomcat Manager interfaces. This includes implementing robust authentication mechanisms, enforcing strict access restrictions, and carefully reviewing recent login activity for any anomalies. With a focus on helping defenders take faster action on emerging threats, GreyNoise continues to monitor the situation and is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats.
Share:
References :
Classification:
|