Scattered Spider Targets VMware ESXi in Latest Hacking Wave
▼ Summary
– Scattered Spider hackers target VMware ESXi hypervisors in U.S. retail, airline, transportation, and insurance sectors using social engineering instead of vulnerability exploits.
– The group impersonates employees to reset passwords via IT help desks, then scans for high-value targets like domain administrators and privileged access management solutions.
– Attackers gain control of VMware vCenter Server, enable SSH on ESXi hosts, and execute disk-swap attacks to extract critical Active Directory data like NTDS.dit.
– The group deploys ransomware after wiping backups and encrypting VM files, achieving complete hypervisor control within hours without exploiting software vulnerabilities.
– Google recommends locking down vSphere, using phishing-resistant MFA, isolating critical assets, and monitoring logs to defend against these attacks.
A sophisticated hacking group has escalated attacks on VMware ESXi hypervisors, compromising major U.S. corporations across retail, aviation, logistics, and insurance industries. Security analysts warn these intrusions leverage social engineering rather than technical exploits, enabling attackers to bypass even well-established defenses.
The group, tracked as Scattered Spider, initiates breaches by impersonating employees during help desk calls. Posing as staff members, they manipulate IT personnel into resetting Active Directory credentials, granting initial network access. Once inside, attackers scour internal documentation for privileged account details, particularly targeting VMware vSphere administrators and security groups with virtualization management rights.
Their next move involves hunting for privileged access management (PAM) systems, which store credentials for critical infrastructure. By impersonating high-level administrators in follow-up calls, they hijack accounts with elevated permissions. This grants control over VMware vCenter Server, the central hub for managing ESXi hypervisors and virtual machines.
With administrative access, attackers enable SSH on ESXi hosts, reset root passwords, and execute “disk-swap” attacks, a technique where they detach a Domain Controller’s virtual disk, copy sensitive files like the NTDS.dit database, then reattach it to evade detection. This data provides full Active Directory control, including backup systems, which they often wipe clean before deploying ransomware.
Google’s Threat Intelligence Group (GTIG) reports these attacks unfold in five rapid stages, from credential theft to hypervisor takeover, sometimes completing in mere hours. Unlike exploits targeting software flaws, Scattered Spider’s methods rely on psychological manipulation and infrastructure misconfigurations, allowing them to circumvent conventional security measures.
Organizations increasingly find their VMware environments vulnerable, a direct result of limited internal expertise in securing these complex systems. Attackers have taken note. After high-profile compromises, such as the 2023 MGM Resorts incident, ransomware groups are now employing comparable tactics. To counter this rising danger, GTIG strongly recommends companies implement immediate protective measures.
(Source: BLEEPING COMPUTER)