Threat Actors Exploit Employee Access to Breach Zendesk

The cybercriminal group known as Scattered Spider has been identified targeting corporate users of the customer service software, Zendesk. This group, also tracked under the aliases 0ktapus, UNC3944, and Scatter Swine, exhibits operational similarities to the Lapsus$ hacking collective. The activity was observed by security researchers at CrowdStrike, who noted the group’s persistence and evasiveness in its campaigns to steal sensitive data.

The primary goal of these attacks is to gain access to corporate Zendesk accounts to exfiltrate confidential information stored within customer support tickets. This data often includes personally identifiable information (PII), financial details, and other sensitive customer or corporate intelligence.

Attack Methodology and Social Engineering Tactics

Scattered Spider’s attacks typically commence with sophisticated social engineering campaigns aimed at employees. The initial vector often involves SMS phishing (smishing) messages designed to trick employees into providing their login credentials. The attackers then follow up to convince the target to divulge their multi-factor authentication (MFA) code, granting the criminals initial network access.

In other observed instances, the group contacts the organization’s IT help desk, posing as an employee to have their MFA device reset or a new one added to their account. Once inside the corporate network, Scattered Spider actors search for credentials and access to the company’s Zendesk instance. To obscure their activities and location, the group leverages residential IP proxies and legitimate remote access tools, making their intrusion harder to detect.

Source: https://www.infosecurity-magazine.com/news/scattered-lapsus-hunters-zendesk/