Scattered Spider Now Targets VMware vSphere in New Attacks
▼ Summary
– Google’s Threat Intelligence Group identified a sophisticated cyber-attack campaign by financially motivated group UNC3944 (Scattered Spider) targeting US retail, airline, and insurance sectors.
– The attackers use social engineering to breach IT help desks, gain Active Directory access, and exploit VMware vSphere environments without triggering traditional defenses.
– UNC3944 bypasses detection by compromising the vSphere virtualization layer, hijacking vCenter access, and deploying ransomware directly from hypervisor level.
– Key tactics include password resets via help desk impersonation, hijacking admin roles, disabling backups, and encrypting entire environments from the ESXi shell.
– GTIG recommends proactive defense measures like disabling ESXi shell access, encrypting VM data, isolating backups, and enforcing phishing-resistant MFA to counter these fast-moving attacks.
A sophisticated cybercrime group has shifted focus to VMware vSphere environments, launching targeted attacks against critical industries through social engineering and hypervisor-level exploitation. Security analysts tracking the threat actor, known as Scattered Spider or UNC3944, report the group now actively targets US-based retail chains, airlines, and insurance providers by compromising virtualization infrastructure.
The attackers employ a multi-stage approach that begins with phone-based impersonation tactics to trick IT help desks into resetting privileged account credentials. Once inside corporate networks, they escalate access to VMware vCenter servers, manipulate virtual disk files, and deploy backdoors at the hypervisor level, bypassing traditional endpoint security measures entirely.
Hypervisor Hijacking Tactics
Recent findings reveal UNC3944’s ability to reboot vCenter into single-user mode, granting unfettered administrative control. The group then installs remote access tools like Teleport to maintain persistence while moving laterally across ESXi hosts. By operating directly on the hypervisor, they can extract credential databases, disable backups, and execute ransomware payloads before most detection systems trigger alerts.
What makes these attacks particularly dangerous is their speed, security teams often have only hours between initial breach and full-scale encryption. The group’s reliance on legitimate administrative tools further complicates detection, as their activity blends in with normal system operations.
Critical Industries at Risk
Recent ransomware campaigns reveal sophisticated attack vectors, notably social engineering help desks to circumvent standard authentication. Such methods highlight a critical vulnerability. To counter these escalating threats, cybersecurity specialists urge a multi-layered security posture, emphasizing configuration hardening and network segmentation. A crucial defensive measure involves disabling direct ESXi shell access unless absolutely indispensable.
The rapid adoption of these specific techniques by other ransomware groups underscores the urgent need for organizations to thoroughly re-evaluate their virtualization security. As attacks directly targeting the hypervisor become more prevalent, adopting proactive defense strategies is no longer merely advisable; it is fundamental to preventing widespread operational disruptions.
(Source: Info Security)
