Scattered Spider is running a VMware ESXi hacking spree

pSonicWall Firewall configs stolen for all cloud backup customersppNew FileFix attack uses cache smuggling to evade security softwareppHackers claim Discord breach exposed data of 55 million usersppGoogles new AI bug bounty program pays up to 30000 for flawsppHarvard investigating breach linked to Oracle zeroday exploitppThe 380 refurbished Surface Laptop 3 with i7 performance and 16GB RAMppFake Inflation Refund texts target New Yorkers in new scamppGet your first year of Sams Club membership for 15 MSRP 50ppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppScattered Spider hackers have been aggressively targeting virtualized environments by attacking VMware ESXi hypervisors at US companies in the retail airline transportation and insurance sectorsppAccording to the Google Threat Intelligence Group GITG the attackers keep employing their usual tactics that do not include vulnerability exploits but rely on perfectly executed social engineering to bypass even mature security programsppThe researchers say that the gang starts an attack by impersonating an employee in a call to the IT help desk The threat actors purpose is to convince the agent to change the employees Active Directory password and thus obtain initial accessppThis allows Scattered Spider to scan the network devices for IT documentation that would provide highvalue targets like the names of domain or VMware vSphere administrators and security groups that can provide administrative permissions over the virtual environmentppAt the same time they scan for privileged access management PAM solutions that could hold sensitive data useful for moving to valuable network assetsppArmed with the name of a specific highvalue administrator they make additional calls to the help desk This time they impersonate the privileged user and request a password reset allowing them to seize control of a privileged account Google Threat Intelligence GroupppThe hackers then work their way to obtain access to the companys VMware vCenter Server Appliance vCSA a virtual machine that allows managing VMware vSphere environments which includes the ESXi hypervisor for managing all the virtual machines on a physical serverppThis level of access allows them to enable SSH connections on ESXi hosts and reset the root passwords Further they execute a socalled diskswap attack to extract the critical NTDSdit database for the Active DirectoryppA diskswap attack occurs when the threat actors powers off a Domain Controller virtual machine VM and dettaches its virtual disk only to attach it to another unmonitored VM they control After copying the sensitive data eg NTDSdit file they revert the process and power on the domain controller machineppIt is important to note that the level of control Scattered Spider obtains on the virtual infrastructure allows them to manage every assets available including the backup machines which are wiped of backup jobs snaphots and repositoriesppIn the last phase of the attack Scattered Spider leverages their SSH access to deliver and deploy ransomware binaries to encrypt all VM files detected in the datastoresppBased on their observations GTIG researchers say that a Scattered Spider attack has five distinct phases that allow hackers to move from lowlevel access to taking complete control over the hypervisorppA Scattered Spider attack chain complete from initial access to data exfiltration and ransomware deployment could happen in just a few hoursppEven without exploiting any software vulnerabilities the threat actor manages to obtain an unprecedented level of control over an entire virtualized environment allowing them to bypass many traditional inguest security controls a Google representative told BleepingComputerppWhile targeting ESXi hypervisors is not new seen in Scattered Spider highprofile breaches like the 2023 MGM Resorts attack GTIG notes that theyre seeing more ransomware groups adopting this tactic and expect the problem to growppOne reason behind this could be that adversaries have noticed that VMware infrastructure is often poorly understood by organizations and consequently not as robustly defendedppTo help organizations protect against these attacks Google published a technical post describing the stages of a Scattered Spider attack explaining why it is efficient and providing actions that a company can take to detect the breach at an earlier phaseppThe proposed measures can be summarized in three main pillarsppScattered Spider also known as UNC3944 Octo Tempest 0ktapus is a financially motivated threat group specialized in social engineering to a level that it can impersonate company employees using the appropriate vocabulary and accentppIt has recently upped its activity with attacks on large UK retail firms airline and transportation entities and insurance companiesppAlthough the UKs National Crime Agency arrested four suspected members of the group the malicious activity originating from other clusters has not subsidedppJoin the Breach and Attack Simulation Summit and experience the future of security validation Hear from top experts and see how AIpowered BAS is transforming breach and attack simulationppDont miss the event that will shape the future of your security strategyppYour Service Desk is the New Attack VectorHeres How to Defend ItppUK govt backs JLR with 15 billion loan guarantee after cyberattackppCoop says it lost 107 million after Scattered Spider attackppTeen suspected of Vegas casino cyberattacks released to parentsppVC giant Insight Partners warns thousands after ransomware breachppNot a member yet Register NowppFBI takes down BreachForums portal used for Salesforce extortionppWindows 11 23H2 Home and Pro reach end of support in 30 daysppApple now offers 2 million for zeroclick RCE vulnerabilitiesppThe role of Artificial Intelligence in todays cybersecurity landscapeppMake the leapget certified with VMUG Advantage Start your career journey todayppRedefine security validation with Picus AIdriven Breach and Attack SimulationppSee how Material secures Gmail Drive with EDRstyle detection and rapid responseppJoin Huntress to discuss all things tradecraft in a monthly meeting of the technical mindsppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp