Scattered Lapsus$ Hunters Resurface with ‘ShinySp1d3r’ RaaS Platform and Aggressive Insider Recruitment
The cybercriminal collective known as Scattered Lapsus$ Hunters has re-emerged with a new Ransomware-as-a-Service (RaaS) platform named ‘ShinySp1d3r’ and is actively recruiting insiders to facilitate their operations. This development follows their previous high-profile supply chain attacks targeting Salesforce integrations such as Gainsight and Salesloft.
Background and Recent Activities
After a period of relative inactivity, Scattered Lapsus$ Hunters have restructured their operations and are now focusing on acquiring privileged access through insider collaboration. Their recruitment efforts are prominently displayed across underground Telegram channels and credential-trading forums, indicating a strategic shift towards leveraging internal access within target organizations.
Introduction of ‘ShinySp1d3r’ RaaS Platform
The group has unveiled ‘ShinySp1d3r,’ a new RaaS platform that appears to be a collaborative effort involving operators associated with ShinyHunters, Scattered Spider, and Lapsus$. This platform signifies a more organized and scalable approach to their ransomware campaigns, allowing affiliates to deploy ransomware attacks efficiently.
Targeting Criteria and Commission Structures
Scattered Lapsus$ Hunters have specified clear criteria for their recruitment and targeting efforts:
– Target Organizations: Companies with annual revenues exceeding $500 million.
– Exclusions: Entities based in Russia, China, North Korea, Belarus, and those within the healthcare sector.
– Commission Tiers:
– 25% for access to Active Directory-joined systems.
– 10% for access to cloud identity platforms such as Okta, Azure Portal, and AWS IAM root access.
These structured incentives are designed to attract insiders who can provide critical access points within large organizations.
Recruitment Strategies and Insider Collaboration
The group’s recruitment advertisements are actively seeking insiders capable of providing access through VPNs, VDIs, Citrix, or AnyDesk from sectors including telecommunications, software, gaming, and call centers. This approach underscores their intent to exploit internal vulnerabilities by collaborating with employees willing to grant unauthorized access.
Operational Security and Messaging
To alleviate potential concerns among prospective insiders, Scattered Lapsus$ Hunters have addressed operational security directly. Following incidents like the CrowdStrike insider case, the group has publicly reassured collaborators that their involvement would remain undetected. They have framed previous exposures as failures on the part of the insiders, thereby attempting to build confidence and trust within their recruitment base.
Implications and Industry Response
The resurgence of Scattered Lapsus$ Hunters and the launch of ‘ShinySp1d3r’ highlight the evolving tactics of cybercriminal organizations. By focusing on insider recruitment and offering substantial financial incentives, they pose a significant threat to large enterprises. Organizations are urged to enhance their internal security protocols, conduct thorough background checks, and foster a culture of security awareness to mitigate the risks associated with insider threats.
Conclusion
The re-emergence of Scattered Lapsus$ Hunters with their ‘ShinySp1d3r’ RaaS platform and aggressive insider recruitment strategies marks a notable shift in the cyber threat landscape. Their structured approach to targeting high-revenue organizations through internal collaboration necessitates a proactive and comprehensive response from the cybersecurity community to safeguard sensitive data and maintain organizational integrity.
