The infamous cybercriminal group known as scattered spiders is targeting VMware ESXi hypervisors in attacks targeting North American retail, airline and transportation sectors.
“The group’s core tactics are consistent and do not rely on software exploits. Instead, we use proven playbooks centered around calling the IT help desk,” Google’s Mandiant team said in an extensive analysis.
“The actors are offensive and creative, and are particularly skilled at bypassing mature security programs using social engineering. The attacks are not opportunistic, but they are precise, campaign-driven operations targeting the organization’s most important systems and data.”
Also known as 0ktapus, Muddled Libra, Oct Tempest, and UNC3944, threat actors adopt a “LOTL) approach by implementing sophisticated social engineering attacks to gain initial access to the victim environment, operate trusted management systems, and leverage Active Directory controls to the VMWare environment.
Google said the method, which provides a pathway for data removal and ransomware deployment directly from the hypervisor, is “very effective” as it bypasses security tools and leaves almost a trace of compromise.
The attack chain unfolds in five different phases –
Early compromises, reconnaissance, and privilege escalation allow threat actors to gather information related to IT documents, support guides, organizational charts, and VSphere administrators, and enumerate credentials from password managers such as Hashicorp Vault and other Privileged Access Management (PAM) solutions. The attacker has been found to make additional calls to the company’s IT help desk, impersonating a valuable administrator, and requesting a password reset to gain control of the account. Pivot into the virtual environment using the mapped Active Directory for VSphere credentials and gain access to the VMware vCenter Server Appliance (VCSA). A teleport is then performed to allow SSH connections on the ESXI host and create a permanent, encrypted reverse shell to enable SSH connections to run resitting root if they are not hiding using a password. ntds.dit Active Directory database. This attack works by powering up a Domain Controller (DC) virtual machine (VM) and removing the virtual disk. After copying the NTDS.DIT file, the entire process reverses and the DC powers up. Weaponize access to delete backup jobs, snapshots, and repository, use SSH access to ESXI hosts to block recovery and push custom ransomware binaries via SCP/SFTP
“The UNC3944 Playbook requires a fundamental change in defensive strategies that move from EDR-based threat hunting to a move from a proactive, infrastructure-centric defense,” Google said. “This threat differs from traditional Windows ransomware in two ways: speed and stealth.”
The technology giant called for “extreme speed” for threat actors, saying that data stripping from initial access and the entire infection sequence from the final ransomware deployment could occur within hours.
According to Palo Alto Networks Unit 42, the scattered spider actors are not only proficient in social engineering, but are also partnering with the Dragonforce (aka Slippery Scorpius) ransomware program, excluding more than 100 GB of data over two days.
To combat such threats, organizations recommend following three layers of protection –
It enables vSphere lockdown mode, enforces deciNStalledonly, implements VSphere VM encryption, obsolete VMs, phishing-resistant multifactor authentication (MFA) that hardens your help desk, and implements isolated, critical identity infrastructure.
Google is also urging organizations to reorganize their systems with security in mind when migrating from VMware VSphere 7 to approach end of life (EOL) in October 2025.
“Ransomware targeting VSphere infrastructure, including both ESXI hosts and vCenter servers, poses its own serious risks due to the ability to paralyze the infrastructure instantly and broadly,” Google said.
“Unable to actively address these interconnected risks by implementing these recommended mitigations will expose organizations to target attacks that could quickly cripple the entire virtualized infrastructure, leading to operational disruption and financial losses.”
Source link
