The Trial Balance is CFO.com’s weekly preview of stories, stats and events to help you prepare.
Part 1 — Scattered Spider gets CFO credentials via social engineering
In a multi-day cyberattack that reads more like a thriller than a cybersecurity report, the multinational hacker group Scattered Spider infiltrated an unnamed organization by compromising its CFO’s credentials and nearly took the company’s cloud infrastructure down in the process.
Scattered Spider has previously targeted insurance companies, major retailers and most recently airlines, focusing on industries with large customer data and high operational stakes. The group is known for using cunning social engineering tactics to quickly escalate access and disrupt critical systems at major companies.
According to new research from cybersecurity firm ReliaQuest, the attack began when Scattered Spider used social engineering to impersonate the CFO and trick the company’s help desk into resetting their multifactor authentication. Scammers reportedly used personal information like the CFO’s birth date and the last four digits of their Social Security number to create a believable scenario. This pressured the help desk to reset the CFO’s multifactor authentication credentials with urgency.
The changes were granted and gave hackers full access to the CFO’s Oracle Cloud portal. On day one, they mapped the organization’s infrastructure, identified privileged accounts and targeted key systems including virtual machines, VPNs and Microsoft Entra ID.
By the second day, the attackers had accessed VMware Horizon virtual desktops, giving them full access to view and alter the company’s entire digital infrastructure. From there, they entered the internal network and took control of VMware vCenter, the system used to manage the organization’s virtual computing environment. They created new virtual servers, reactivated decommissioned ones and extracted the NTDS.dit file, a critical database containing account credentials for the entire system. The activity went unnoticed because the virtual systems they used were not monitored by things like endpoint detection and response tools.
On the third day, the breach expanded further. The attackers accessed the company’s CyberArk privileged access vault and dumped more than 1,400 credentials, likely using automation due to the amount of credentials acquired in such a short period of time. They assigned themselves powerful roles, including Microsoft Exchange Administrator and global administrator. The attackers then used compromised service accounts to gain control of the company’s Azure identity environment, which is a major part of Microsoft’s cloud platform and manages user access, authentication and permissions across cloud resources.
At this point, the company’s internal security systems picked up that something was not right. Rather than backing out and drifting back into the abyss after being discovered, Scattered Spider hackers resisted attempts to stop the breach. At one point, the attackers intercepted a message from the company’s internal security team warning of an active breach and responded by impersonating a team member. Researchers observed the hackers restoring deleted accounts, impersonating staff and interfering with remediation efforts in real time. The company eventually needed the operators of the software for help, and Microsoft had to intervene to help regain control.
Before they were evicted on the fourth day, the attackers, who likely knew the clock was expiring on their breach, launched what researchers called a “scorched earth” strategy. They executed malicious scripts across the cloud environment and deleted Azure firewall policies, bringing critical operations to a standstill.
For CFOs, this is important to note because this was an incident where no ransomware was deployed upon entry. Rather, human beings were tricked and were willing to help because of the “often over-privileged” IT attention to executives.
Part 2 — This week
Here’s a list of important market events slated for the week ahead.
Monday, June 30
- Chicago Business Barometer (PMI), June
Tuesday, July 1
- S&P final U.S. manufacturing PMI, June
- Job openings, May
- ISM manufacturing, June
- Auto sales, June
Wednesday, July 2
- ADP employment, June
Thursday, July 3
- Initial jobless claims, week ending June 28
- U.S. employment report, June
- U.S. unemployment rate, June
- U.S. trade deficit, May
- S&P final U.S. services PMI, June
- Factory orders, May
Friday, July 4 — None scheduled for Independence Day
Part 3 — The Savannah Bananas’ Tim Naddy’s new podcast
Dr. Tim Naddy, vice president of finance for the Savannah Bananas, has launched a new podcast called Business, Biceps and BS through the Georgia Society of CPAs. The show blends his background in accounting with his passion for fitness and candid conversations about the realities of business. The first episode launched last week.
Naddy told CFO.com he plans on using the platform to share lessons from his role at one of the most unconventional sports organizations in the country. Episodes cover everything from leadership and financial planning to personal development and gym routines. His goal is to make accounting and finance more approachable while highlighting the human side of the profession. The podcast touches on the team’s mission on one hand, and on the other highlights how being a great finance leader means balancing business smarts, strength and a sense of humor.
