Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks

Two cybercrime groups, Cordial Spider and Snarky Spider, execute rapid extortion attacks targeting SaaS environments with minimal forensic artifacts. Cordial Spider operates under multiple aliases including BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671. Snarky Spider uses aliases O-UNC-025 and UNC6661. Both groups employ vishing (voice phishing) and single sign-on (SSO) abuse as primary attack vectors to compromise SaaS accounts and extract data quickly.

The attacks follow a consistent pattern. Attackers use vishing to manipulate employees into revealing credentials or bypassing authentication controls. Once inside, they abuse SSO configurations to move laterally across SaaS applications and connected systems. The groups prioritize speed over stealth, extracting high-value data in compressed timeframes before organizations detect the breach.

Defenders should monitor for unusual SSO token usage patterns and implement phone number verification protocols resistant to social engineering. Enforce passwordless authentication where feasible. Log and alert on failed authentication attempts followed by successful logins from new geographies. Segment SaaS applications and restrict SSO scope. Train staff to reject unsolicited authentication requests over voice channels.

Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks

Trellix Confirms Source Code Breach With Unauthorized Repository Access

30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign

Anti-DDoS Firm Heaped Attacks on Brazilian ISPs

Get Daily CyberWireDaily