Do Not Reset Your Password — FBI Issues Critical New Warning

FBI updates Scattered Spider warning — do not reset your password.
SOPA Images/LightRocket via Getty Images
Scattered Spider is the somewhat too cutesy name applied to one of the most dangerous threats facing organizations today. The ransomware threat actors behind devastating attacks on retail and aviation targets, among others, show no signs of going away. The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have now updated a joint cybersecurity advisory with a critical new warning: don’t reset your passwords. Here’s what you need to know about the latest FBI warning and the ongoing Scattered Spider threat.
The FBI Password Reset Warning — Why It Makes Sense
At first glance, being told not to reset your password in the face of an attack that compromises passwords appears somewhat counterintuitive, to say the least. After all, Google has been advising Gmail users to change their passwords, along with other cybersecurity warnings recommending the same, for the longest time now. But, as with most everything cyber, context is critical. Changing a password to prevent an attack, as in the advice to switch to a more secure technology such as passkeys, makes sense. Not using weak or previously compromised passwords, ditto. But this advice is different; it addresses the specific methodology employed by the Scattered Spider group in attacks.
The July 29 update to the FBI and CISA cybersecurity advisory, alert code AA23-320A, warns that Scattered Spider has “posed as employees to convince IT and/or helpdesk staff to provide sensitive information, reset the employee’s password, and transfer the employee’s MFA to a device they control on separate devices.”
Scattered Spider is using “layered social engineering techniques,” the FBI warned, often comprising multiple calls and contacts. These are made to ascertain the steps required to conduct password reset requests from support staff. “Once that information is identified,” the FBI said, “the threat actors continue to conduct phone calls to employees and help desks to gather password reset-specific information of a targeted employee.” This all culminates in a highly-targeted spearphishing call to the help desk in question to convince staff to “reset passwords and/or transfer MFA tokens.”
The FBI recommended that organizations use phishing-resistant multifactor authentication for all services and accounts that access critical systems. “Organizations should continue to perform diligent employee training against vishing and spearphishing,” the alert said, and advised that updated mitigation recommendations from the U.K. National Cyber Security Centre be followed, including to “review helpdesk password reset processes, including how the helpdesk authenticates staff members credentials before resetting passwords, especially those with escalated privileges.”