Executive Summary
In October 2025, two financially motivated threat groups, Cordial Spider and Snarky Spider, affiliated with The Com, initiated a series of rapid data theft and extortion attacks targeting U.S.-based organizations across sectors such as academia, aviation, retail, hospitality, automotive, financial services, legal, and technology. Utilizing voice-phishing and social engineering tactics, these groups directed employees to fraudulent single sign-on (SSO) pages to capture credentials, enabling them to infiltrate identity platforms and traverse SaaS environments. Once inside, they removed existing multi-factor authentication (MFA) devices, established their own, and deleted alerts to conceal their activities, leading to significant data exfiltration and extortion demands, often in the seven-figure range.
This incident underscores a growing trend of cybercriminals leveraging sophisticated social engineering techniques to exploit identity systems, highlighting the urgent need for organizations to enhance their security measures against such evolving threats.
Why This Matters Now
The emergence of Cordial Spider and Snarky Spider highlights the increasing sophistication of cybercriminal groups in exploiting identity systems through advanced social engineering tactics, emphasizing the critical need for organizations to bolster their defenses against such evolving threats.
Attack Path Analysis
The attackers initiated the attack by using voice-phishing and social engineering tactics to deceive employees into providing credentials, leading to unauthorized access to identity platforms. Once inside, they manipulated multi-factor authentication settings to establish persistent access and escalated their privileges within the system. With elevated privileges, they navigated through the organization's SaaS environments, accessing and compromising various services. They then established command and control channels to maintain communication and control over the compromised systems. Subsequently, they exfiltrated sensitive data from the organization's cloud storage and SaaS applications. Finally, they leveraged the stolen data to extort the organization, demanding ransom under the threat of data exposure or further attacks.
Kill Chain Progression
Initial Compromise
Description
Attackers used voice-phishing and social engineering to deceive employees into providing credentials, gaining unauthorized access to identity platforms.
MITRE ATT&CK® Techniques
Spearphishing Voice
Valid Accounts
Multi-Factor Authentication Request Generation
Indicator Removal on Host: Clear Windows Event Logs
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Network Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components are protected from known vulnerabilities by installing applicable security patches.
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong authentication mechanisms and enforce least privilege access.
Control ID: Identity and Access Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Extortion crews targeting identity platforms expose financial institutions to data exfiltration, regulatory violations, and seven-figure ransom demands via social engineering attacks.
Higher Education/Acadamia
Academic institutions face identity system compromises enabling SaaS ecosystem traversal, threatening student data and research through voice-phishing and credential harvesting campaigns.
Retail Industry
Retail organizations experience targeted phishing attacks compromising single sign-on systems, leading to widespread data theft and aggressive extortion tactics including employee harassment.
Information Technology/IT
Technology sector faces sophisticated identity platform breaches enabling lateral movement across SaaS environments, with attackers exploiting multi-factor authentication weaknesses and residential proxy networks.
Sources
- Two new extortion crews are speedrunning the Scattered Spider playbookhttps://cyberscoop.com/crowdstrike-cordial-spider-snarky-spider-extortion-attacks/Verified
- Cordial Spider Adversary Profile | CrowdStrikehttps://www.crowdstrike.com/en-us/adversaries/cordial-spider/Verified
- Snarky Spider Adversary Profile | CrowdStrikehttps://www.crowdstrike.com/en-us/adversaries/snarky-spider/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting attackers' ability to move laterally and exfiltrate data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not prevent initial credential compromise, it could limit unauthorized access by enforcing strict identity-based policies.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could limit the scope of privilege escalation by enforcing least-privilege access controls.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could constrain lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could limit command and control activities by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could reduce data exfiltration risks by controlling outbound data flows.
While Aviatrix Zero Trust CNSF may not prevent initial data theft, it could limit the extent of data exposure, potentially reducing the impact of extortion attempts.
Impact at a Glance
Affected Business Functions
- Identity and Access Management
- SaaS Application Management
- Data Security
- Incident Response
Estimated downtime: 7 days
Estimated loss: $1,000,000
Potential exposure of sensitive corporate data, including customer information and intellectual property.
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust multi-factor authentication (MFA) mechanisms to prevent unauthorized access through compromised credentials.
- • Enforce strict identity and access management (IAM) policies to limit privilege escalation opportunities.
- • Utilize network segmentation and east-west traffic monitoring to detect and prevent lateral movement within the network.
- • Deploy advanced threat detection systems to identify and respond to command and control communications.
- • Establish comprehensive data loss prevention (DLP) strategies to monitor and control data exfiltration activities.
