Cordial Spider, Snarky Spider Leverage Vishing and SSO Abuse in SaaS Extortion

Cybersecurity researchers are sounding the alarm on two cybercrime groups, Cordial Spider (also known as BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (O-UNC-025 and UNC6661). According to The Hacker News, these groups are executing “rapid, high-impact attacks” primarily within SaaS environments, leaving minimal forensic traces. Their tactics involve high-speed data theft followed by extortion attempts.

The Hacker News highlights that these groups are particularly adept at abusing Single Sign-On (SSO) mechanisms and employing vishing techniques. This combination allows them to bypass traditional security controls, gain unauthorized access to SaaS applications, and exfiltrate sensitive data quickly. The focus on SaaS environments means they are targeting the very heart of modern enterprise operations, where critical data and applications reside.

The operational methodology of Cordial Spider and Snarky Spider underscores a shift towards more stealthy, cloud-native attack vectors. By leveraging vishing for initial access and then exploiting SSO misconfigurations or stolen credentials, they can achieve deep penetration with a low footprint. This makes detection incredibly challenging for organizations relying solely on endpoint or network-centric security solutions, necessitating a strong focus on identity and access management (IAM) within SaaS ecosystems.