Two cybercrime groups, Cordial Spider and Snarky Spider, conduct rapid extortion attacks targeting SaaS environments with minimal forensic footprint. Cordial Spider operates under multiple aliases including BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671. Snarky Spider uses the designations O-UNC-025 and UNC6661.
The groups exploit vishing attacks to compromise employee credentials and abuse single sign-on systems for lateral movement within cloud infrastructure. This approach grants attackers access to sensitive data while evading traditional detection mechanisms built for on-premises networks.
Attack timelines compress from initial access to data exfiltration within hours. Defenders face a narrow window to detect and respond before threat actors establish persistence or demand ransom payments. The groups leverage SaaS platform design patterns that obscure their activities within normal user behavior.
Organizations should implement conditional access policies to restrict sign-on from unexpected locations. Security teams require robust activity logging across all cloud applications and should enforce multi-factor authentication beyond standard SMS delivery. Incident response playbooks need to address rapid SaaS compromise scenarios and include procedures for revoking session tokens across federated identity systems.
The minimal trace left by these actors reflects operational discipline. Detection depends on behavioral anomalies rather than traditional indicators of compromise.