AXIS Cyber Risk Advisory INCYTE Newsletter
Threat Advisory
Human Weakness, Enterprise Risk
Cybercriminal groups including ShinyHunters and Scattered Spider have launched coordinated attacks targeting customer relationship management (CRM) platforms utilized by enterprises, exposing sensitive data including customer names, emails, phone numbers, and loyalty program details.
While enterprise systems remain secure, attackers are exploiting third-party integrations combined with social engineering tactics, using voice phishing (vishing) and malicious OAuth (Open Authorization) applications to bypass cybersecurity defenses.
These campaigns highlight a shift in attacker strategy, targeting human behavior and trust in third-party vendors, not just technical vulnerabilities or gaps in controls. Some groups are also issuing ransom demands weeks after the initial data is accessed, complicating early detection and incident response efforts.
How the Attack Unfolds
These low-tech attacks targeting enterprises often start with voice phishing, where threat actors pose as IT or HR staff and reference fake support tickets to trick victims’ employees of the enterprise into sharing credentials or installing malicious applications.
Once installed, these apps are often disguised as legitimate tools like “Data Loader” or “Compliance Sync” and authorized through OAuth. This gives attackers persistent access to CRM systems, allowing them to extract valuable business contact data to launch future campaigns, expanding their reach and impact.
How Companies Can Strengthen Defenses
- Ensure social engineering awareness training for all roles
- Restrict third-party application permissions and enforce approval workflows
- Deploy phishing-resistant MFA and monitor OAuth authorizations continuously
- Adopt zero trust principles to eliminate implicit trust and limit lateral movement
- Audit CRM integrations and user behavior regularly for anomalies
Read the full article to learn more about these coordinated attacks: Cybercrime Groups ShinyHunters, Scattered Spider Join Forces in Extortion Attacks on Businesses
Learn more about Best Practices for Protecting Your CRM Data - National Cybersecurity Alliance
Coordinated Cybercrime: Evading Defenses to Deploy Ransomware
Cybercriminal groups are using advanced tools like AVKiller and EDRKillShifter, bundled with the HeartCrypt service to silently disable antivirus and endpoint detection systems. These tools are often designed to look like legitimate programs, making them difficult to detect. Once active, attackers can shut down defenses within minutes, exposing systems to ransomware. Unfortunately, after detection tools are disabled, recovery can become significantly harder.
The growing use of these customizable tools across multiple ransomware groups, including BlackSuit, Medusa, Qilin, and DragonForce, highlights the coordinated cybercriminal ecosystem targeting companies that rely on third-party software or lack strong detection capabilities.
How the Attack Unfolds
Attackers are using EDR killer tools to disable endpoint protection by exploiting a method called Bring Your Own Vulnerable Driver (BYOVD). Using these tools, often customized, the threat actor installs trusted software that has hidden flaws to sneak past security drivers and gain kernel-level access, essentially giving attackers the master key to the system, allowing them to shut down security tools and move undetected.
These tools are often paired with HeartCrypt “packer-as-a-service” that hides ransomware inside files to avoid detection, further enabling less skilled attackers to launch sophisticated hard-to-detect campaigns.
How Companies Can Strengthen Defenses
· Implement behavioral detection rules that monitor suspicious driver activity and unexpected process termination
· Block known vulnerable drivers using Microsoft’s recommended blocklist or custom policies
· Segment privileges so that only trusted processes can install or interact with drivers
· Regularly audit endpoint logs for signs of tampering or unauthorized access
· Educate security teams on BYOVD tactics and emerging ransomware toolkits
· Deploy EDR solutions with self-protection mechanisms that resist forced termination
· Stay updated on threat intelligence feeds to track evolving ransomware group tactics and tool variants
This material is provided for informational purposes only and is not an offer to sell, or a solicitation to buy, any particular insurance product or service for a particular insured. It is intended for licensed insurance professionals. Cyber incident examples may be based on actual cases, composites of actual cases or hypothetical claim scenarios and are provided for illustrative purposes only. Facts may have been changed to protect the confidentiality of the parties. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued, and applicable law.
The practices, services or service provider(s) discussed herein are suggested as risk mitigation or incident response resources only. Use of any practice, service or service provider does not guarantee the performance or quality of the services provided, including the avoidance of loss, the fulfilment of any obligations under any contract, or compliance with any law, rule, or regulation. AXIS is not responsible for the effectiveness of a cyber risk management program and encourages each policyholder, together with advice from their professional insurance advisor, to perform its own independent evaluation of any practice, service or service provider as part of its overall risk management strategy.
For information about our products and underwriting companies, please see https://www.axiscapital.com/product-information
