Redazione RHC : 28 July 2025 14:47
The Scattered Spider group has intensified its attacks on corporate IT environments, targeting the VMware ESXi hypervisors of US companies in the retail, transportation, and insurance sectors. These attacks do not exploit traditional software vulnerabilities, but instead demonstrate a mastery of social engineering techniques that allow them to bypass even the most secure systems.
According to the Google Threat Intelligence Group, the initial phase of the attack relies on impersonating a company employee in a conversation with IT support. The attacker manages to change the user’s password in Active Directory, thus gaining initial access to the internal network. Next, the search begins for valuable technical documentation and key accounts, primarily domain and VMware vSphere environment administrators, as well as members of groups with extended rights.
In parallel, scans are performed for the presence of PAM (Privileged Access Management)-class solutions, which may contain sensitive data and contribute to further infrastructure advancement.After obtaining the names of privileged users, the attackers make repeated calls, posing as administrators, and initiate password resets again, but this time to gain privileged access.
The next step is to gain control of the virtual environment management server (vCSA). VMware vCenter, which manages the entire ESXi architecture and the virtual machines on the physical hosts. Once they have gained this level of access, the attackers enable SSH on the ESXi hosts, reset the root passwords, and proceed to conduct a so-called virtual disk replacement attack.
The technique involves shutting down a domain controller, detaching its virtual disk, and attaching it to another controlled virtual machine. There, the attackers copy the NTDS.dit file, which is the Active Directory database with password hashes, then return the disk and power on the original machine. This approach allows critical data to be extracted without raising suspicion at the operating system event level.
With full control over virtualization, attackers also gain access to backup systems. They cancel schedules, delete snapshots, and destroy backup archives. The final stage of the attack is to deploy cryptographic encryption via SSH connections to all virtual machines in the archives. The result is mass data encryption and a complete loss of control by the organization.
Google describes the attack architecture in five phases: from social engineering to taking control of the entire ESXi infrastructure. In practice, the entire chain, from the first support call to the ransomware deployment, can take only a few hours. Notably, these attacks do not exploit vulnerability attacks, but their effectiveness is so high that hackers can bypass most built-in protections.
A similar approach was already used by Scattered Spider during the high-profile incident involving MGM Resorts in 2023. Today, more and more groups are adopting these tactics. One reason is the lack of knowledge of VMware infrastructure among many organizations, resulting in insufficient protection.
To mitigate the risk, Google has published technical guidance focusing on three main areas:
The Scattered Spider group, also known as UNC3944, Octo Tempest, or 0ktapus, is one of the most dangerous in the world. It stands out for its ability to perform subtle social imitation: attackers not only copy employees’ speech patterns, but also reproduce their pronunciation, vocabulary, and communication style. Despite the recent arrests of four alleged members in the United Kingdom, the group’s activity has not stopped. Indeed, in recent months, its attacks have become increasingly bold and large-scale.
Redazione