The world of cybercrime is evolving, and the latest threat actors are employing sophisticated techniques to carry out rapid and impactful attacks. In this article, I'll delve into the tactics used by two cybercrime groups, Cordial Spider and Snarky Spider, and explore the implications of their activities. These groups are not your typical hackers; they operate almost exclusively within trusted Software-as-a-Service (SaaS) environments, leaving minimal traces of their actions. This makes them particularly challenging to detect and defend against.
The Vishing and SSO Abuse Tactics
What makes these groups so effective is their use of voice phishing (vishing) and Single Sign-On (SSO) abuse. By impersonating IT staff in calls, they deceive victims into revealing their credentials and multi-factor authentication (MFA) codes. This allows them to gain access to SaaS applications and move laterally across the victim's ecosystem. One thing that immediately stands out is the speed at which they operate. Snarky Spider, for instance, begins exfiltration in under an hour, highlighting the urgency and impact of these attacks.
The Role of The Com
Both groups are believed to be part of The Com, a cybercrime ecosystem known for its extortion-themed attacks. This connection raises a deeper question: are these groups working together, or is it a case of shared tactics and techniques? In my opinion, the expansion of threat activity by these groups suggests a potential merger or collaboration within The Com. This could have significant implications for the future of cybercrime, as it may lead to more sophisticated and coordinated attacks.
The Impact on Retail and Hospitality
The attacks mounted by these groups have primarily targeted the retail and hospitality sectors. By leveraging vishing attacks and phishing login sites, they steal credentials and gain access to high-privileged accounts. This allows them to move laterally across the victim's SaaS ecosystem and exfiltrate high-value files and business-critical reports. What many people don't realize is that these attacks are not isolated incidents; they are part of a broader trend of cybercrime groups expanding their reach and impact.
The Challenges for Defenders
The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders. By operating almost exclusively within trusted SaaS environments, these groups minimize their footprint and accelerate time to impact. This makes it difficult for defenders to identify and respond to the attacks in a timely manner. From my perspective, this highlights the need for more proactive and adaptive defense strategies that can keep pace with the evolving tactics of cybercriminals.
The Future of Cybercrime
As cybercrime groups continue to evolve and expand their reach, it's essential to understand the tactics and techniques they are employing. The use of vishing and SSO abuse by Cordial Spider and Snarky Spider is a particularly interesting development, as it demonstrates the sophistication and adaptability of these groups. In my opinion, this raises a deeper question about the future of cybercrime: how can we better prepare and defend against these evolving threats?
In conclusion, the activities of Cordial Spider and Snarky Spider are a stark reminder of the evolving landscape of cybercrime. By employing sophisticated tactics and techniques, these groups are able to carry out rapid and impactful attacks that can have significant consequences for victims. As defenders, it's crucial to stay informed and adapt our strategies to keep pace with the evolving tactics of cybercriminals. Personally, I think that the future of cybercrime will require a more proactive and adaptive approach to defense, one that can anticipate and respond to the evolving tactics of these sophisticated threat actors.
