\nIn June, the FBI publicly warned** ** that Scattered Spider is actively targeting the aviation and transportation sectors, including well-known airlines and their third-party IT vendors. In this post, we will provide a brief overview of Scattered Spider, insights gathered by our research team into the vulnerabilities they target, and how organizations can protect themselves. <\/p>\n
## What is Scattered Spider?<\/p>\n
Scattered Spider is a financially motivated hacking collective (also known as UNC3944, Octo Tempest, Scatter Swine, and Star Fraud), mostly comprised of young members located in North America and the UK, referred to as \u201cthe Com.\u201d It has been active since May 2022 and has evolved from SIM\u2011swapping to advanced social engineering, MFA\u2011bombing, and ransomware via affiliates like ALPHV and DragonForce. Scattered Spider has targeted a vast range of industries and companies, including aviation, hospitality, retail, insurance, finance, technology, entertainment, telecommunications, gaming, and cryptocurrency. One of these high-profile breaches resulted in one company losing ~$100 million and another paying a ransom of $15 million. Recent campaigns have involved investigations from the FBI, CISA, and the United Kingdom\u2019s National Crime Agency.<\/p>\n
## Airline Industry Asset Risks:<\/p>\n
In an analysis of 600,000 assets across anonymized Qualys airline-industry customer organizations\u2014rigorously anonymized to ensure our insights cannot be traced back to specific organizations or assets\u2014we mapped exposure to CVEs actively exploited by the threat actor Scattered Spider, including:<\/p>\n
* CVE-2015-2291 (QID **92074** \u2013 Intel Ethernet Diagnostics Driver DoS)
* CVE-2021-35464 (QID **150623** and QID **730675** \u2013 ForgeRock Access Management RCE)
* CVE-2024-37085 (QID **216333** and QID **216331** \u2013 VMware ESXi 7.0\/8.0 Auth Bypass)<\/p>\n
These CVEs are frequently leveraged by Scattered Spider to gain initial access and escalate privileges across infrastructure.<\/p>\n
## Data in Qualys Customer Environments and Key Findings:<\/p>\n
<\/p>\n
**-QID Detections: 3,138** **assets** were identified with critical QID detections (216333, 216331, 92074, 150623, 730675), representing approximately 0.5% of the total asset base.<\/p>\n
**-Internet-Facing Exposure:** Nearly **3,000 assets** (**0.5%**) were found to be **internet-facing** with high-risk open ports (e.g., RDP, SSH, exposed databases), **increasing their susceptibility to targeted attacks.**<\/p>\n
**-Legacy Software Risk:** Approximately **72,000 assets (12%)** are running **End-of-Life (EOL)** or **End-of-Support (EOS)** software with known vulnerabilities.
On average, each affected asset is associated with **16 unique CVEs** , directly attributable to **EOL\/EOS software**.<\/p>\n
## Key Impacts and Recommendations:<\/p>\n
Given the active nature of this threat, we offer the following guidance to all organizations, particularly those in and associated with the airline and transportation industries.<\/p>\n
### **CVE-2015-2291** :<\/p>\n
**Impact:** CVE-2015-2291 is a high-severity vulnerability in Intel Ethernet diagnostics drivers for Windows (IQVW32.sys and IQVW64.sys versions prior to 1.3.1.0). It enables local attackers to execute arbitrary code with kernel privileges or cause a denial of service using crafted IOCTL calls. This vulnerability impacts multiple Windows operating systems, including Windows XP, Windows 7, Windows 8, Windows Server editions, and others, potentially affecting a wide range of systems. Adversaries have exploited this flaw for deploying malicious drivers using the ‘Bring Your Own Vulnerable Driver’ (BYOVD) technique, bypassing Windows security mechanisms and disabling endpoint protection solutions.<\/p>\n
**Recommended Solutions:** Users should upgrade the Intel Ethernet diagnostics drivers (IQVW32.sys and IQVW64.sys) to version 1.3.1.0 or later, available via the Intel Ethernet Adapters Connections CD 20.1 or newer. Administrators should scan all systems for outdated drivers, ensure timely patching of vulnerabilities, and utilize robust endpoint security solutions to monitor and mitigate potential threats while observing unusual system behaviors or signs of compromise.<\/p>\n
### **CVE-2021-35464** :<\/p>\n
**Impact:** CVE-2021-35464 is a critical vulnerability in ForgeRock Access Manager (AM), allowing unauthenticated attackers to execute arbitrary code remotely on affected servers. This flaw stems from unsafe Java deserialization in the Jato framework, affecting AM versions 6.0.0.x and all 6.5 versions up to 6.5.3. Exploits can compromise the server, enabling attackers to extract credentials, deploy malware, and move laterally within networks, potentially leading to data breaches or ransomware attacks. The vulnerability is listed in the CISA’s Known Exploited Vulnerabilities (KEV) Catalog due to active exploitation incidents.<\/p>\n
**Recommended Solutions:** Upgrade affected ForgeRock AM versions to 7.0 or later, as the vulnerability is fixed in these versions. If immediate upgrade is not feasible, apply ForgeRock’s workaround by disabling the VersionServlet mapping in the AM web.xml file or blocking access to the ‘\/ccversion\/*’ endpoint using a reverse proxy. Additionally, limit internet access to vulnerable servers, monitor logs for exploitation indicators (e.g., requests to ‘\/ccversion\/Version’), and ensure the application runs with minimal privileges. Effective patch management and regular updates are essential to prevent exploitation.<\/p>\n
### **CVE-2024-37085** :<\/p>\n
**Impact:** CVE-2024-37085 is an authentication bypass vulnerability impacting VMware ESXi and VMware Cloud Foundation. Attackers with sufficient Active Directory (AD) permissions can exploit this vulnerability to gain unauthorized full administrative access to an ESXi host. This is achieved by recreating the ‘ESX Admins’ AD group\u2014even if previously deleted\u2014because ESXi hosts joined to AD automatically and insecurely grant admin privileges to that group by default. This issue has been widely exploited by ransomware groups, enabling them to achieve mass encryption of virtualized environments. The vulnerability primarily affects ESXi 8.0 (fixed in ESXi80U3-24022510), ESXi 7.0 (no patch planned), VMware Cloud Foundation 5.x (fixed in 5.2), and Cloud Foundation 4.x (no patch planned). Systems exposed to the internet or left unpatched are at risk of complete compromise and data loss through ransomware campaigns.<\/p>\n
**Recommended Solutions:** Upgrade to VMware ESXi 8.0 Update 3 (ESXi80U3-24022510) or VMware Cloud Foundation 5.2 as soon as possible; there is no patch planned for ESXi 7.0 and Cloud Foundation 4.x, so administrators of these products should apply Broadcom’s recommended configuration workarounds involving secure default settings for AD group privileges; remove unnecessary exposure of ESXi servers to the public internet; implement Microsoft’s mitigation guidance and monitor domain group memberships and administrator accounts for anomalies.<\/p>\n
## Measure, Communicate, and Eliminate Your Risk from Scattered Spider with Qualys<\/p>\n
<\/p>\n
### **To take action against Scattered Spider attacks in your network, Qualys offers several options:******<\/p>\n
* Using Qualys VMDR (Vulnerability Management, Detection and Response)**, you can rapidly identify and prioritize your vulnerabilities** through **scanning your environment** for the specific QIDs tied to Scattered Spider\u2019s known exploits.
* **Utilize TruRisk scoring** to prioritize your remediation using filters such as real-world exploitability and business criticality.
* **Monitor your internet-facing exposure** using **Qualys\u2019 CyberSecurity Asset Management (CSAM)** to **discover and classify all internet-facing assets** and detect misconfigurations and high-risk services.<\/p>\n
* * *<\/p>\n
**New to Qualys? Visit our website to find out more about our products.**<\/p>\n
Visit Now<\/p>\n
* * *\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Understanding the Impact of Scattered Spider on the Airline & Transportation Industry Update ID QUALYSBLOG:BF7429F924659459C34162F2675D31B9 Type qualysblog Published 2025-07-21T15:00:00…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,36,12,15,13,120,7,11,5],"class_list":["post-8540","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-high","tag-news","tag-qualysblog","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Understanding the Impact of Scattered Spider on the Airline & Transportation Industry - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=8540\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Understanding the Impact of Scattered Spider on the Airline & Transportation Industry - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Understanding the Impact of Scattered Spider on the Airline & Transportation Industry Update ID QUALYSBLOG:BF7429F924659459C34162F2675D31B9 Type qualysblog Published 2025-07-21T15:00:00...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=8540\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-21T11:58:04+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8540#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8540\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Understanding the Impact of Scattered Spider on the Airline & Transportation Industry\",\"datePublished\":\"2025-07-21T11:58:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8540\"},\"wordCount\":1121,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-10.0\",\"exploit\",\"HIGH\",\"news\",\"qualysblog\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8540#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8540\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8540\",\"name\":\"Understanding the Impact of Scattered Spider on the Airline & Transportation Industry - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-21T11:58:04+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8540#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8540\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8540#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Understanding the Impact of Scattered Spider on the Airline & Transportation Industry\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Understanding the Impact of Scattered Spider on the Airline & Transportation Industry - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=8540","og_locale":"en_US","og_type":"article","og_title":"Understanding the Impact of Scattered Spider on the Airline & Transportation Industry - zero redgem","og_description":"Security Update News Update Information Title Understanding the Impact of Scattered Spider on the Airline & Transportation Industry Update ID QUALYSBLOG:BF7429F924659459C34162F2675D31B9 Type qualysblog Published 2025-07-21T15:00:00...","og_url":"https:\/\/zero.redgem.net\/?p=8540","og_site_name":"zero redgem","article_published_time":"2025-07-21T11:58:04+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=8540#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=8540"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Understanding the Impact of Scattered Spider on the Airline & Transportation Industry","datePublished":"2025-07-21T11:58:04+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=8540"},"wordCount":1121,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-10.0","exploit","HIGH","news","qualysblog","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=8540#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=8540","url":"https:\/\/zero.redgem.net\/?p=8540","name":"Understanding the Impact of Scattered Spider on the Airline & Transportation Industry - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-21T11:58:04+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=8540#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=8540"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=8540#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Understanding the Impact of Scattered Spider on the Airline & Transportation Industry"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8540","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8540"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8540\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8540"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}