Scattered Spider's Advanced Social Engineering Attacks on VMware ESXi in North America
Discover how Scattered Spider targets VMware ESXi using sophisticated social engineering tactics, primarily through fake IT help desk calls, rather than traditional software exploits.
TL;DR
The cybercrime group Scattered Spider is targeting VMware ESXi hypervisors in North America using social engineering tactics, primarily fake IT help desk calls. Their approach involves exploiting human vulnerabilities rather than software flaws, making their attacks highly effective and difficult to detect.
Scattered Spider Targets VMware ESXi in North America Using Social Engineering
The cybercrime group Scattered Spider (also known as 0ktapus, Muddled Libra, Octo Tempest, and UNC3944) has been targeting VMware ESXi hypervisors in the retail, airline, and transportation sectors across North America. According to Google’s Mandiant team, the group employs social engineering tactics, primarily deceptive phone calls to IT help desks, rather than traditional software exploits.
Living-Off-the-Land Approach
Scattered Spider utilizes a “living-off-the-land” (LotL) approach. After gaining access through social engineering, they abuse Active Directory to reach VMware vSphere, exfiltrate data, and deploy ransomware from the hypervisor. This method bypasses Endpoint Detection and Response (EDR) tools and leaves minimal signs of compromise. The LotL tactic is effective because the Virtual Center appliance and ESXi hypervisor cannot run traditional EDR agents, creating a significant visibility gap at the virtualization layer.
Attack Chain Overview
The attack chain employed by Scattered Spider consists of five distinct phases:
Phase 1: Initial Access
Scattered Spider begins by exploiting human vulnerabilities rather than software flaws. Using stolen personal data, they impersonate employees in calls to the IT help desk, requesting password resets for user and later, privileged administrator accounts. This social engineering tactic allows them to bypass traditional technical attacks and gain internal access.
Once inside, the group conducts dual reconnaissance:
- Path A: Scans internal documents (e.g., SharePoint, wikis) to identify admins and high-privilege AD groups like “vSphere Admins.”
- Path B: Seeks access to secrets stored in password managers or Privileged Access Management (PAM) tools.
After identifying privileged users, they call again, impersonating them to gain full admin access. This leads to AD privilege escalation and sets the stage for attacks on VMware infrastructure. Detection relies on monitoring password resets, group membership changes, and unusual file access. Key mitigations include prohibiting phone-based resets for privileged accounts and hardening sensitive systems and documentation.
Phase 2: Privilege Escalation
After gaining privileged AD credentials, attackers log into the vCenter GUI and reboot the VCSA to edit GRUB, granting root shell access. They reset the root password, enable SSH, and deploy Teleport, a legitimate remote access tool, as a persistent encrypted Command and Control (C2) channel. This grants stealthy control over the hypervisor. The method is effective due to the lack of Multi-Factor Authentication (MFA) and vCenter’s inherent trust in AD.
Phase 3: Data Exfiltration
Attackers exploit vSphere access to steal AD credentials offline. They enable SSH on ESXi hosts, power off the Domain Controller VM, detach its disk, mount it on an orphaned VM, and extract the NTDS.dit file. The data is then exfiltrated via Teleport C2. This stealthy method avoids EDR detection and bypasses segmentation. Key defenses include VM encryption, removing unused VMs, hardening ESXi access, and enabling remote audit logging.
Phase 4: Backup Sabotage
Attackers sabotage backups before ransomware deployment by abusing Domain Admin access or adding users to “Veeam Administrators” in AD, deleting backup jobs and snapshots.
Phase 5: Ransomware Deployment
In the final phase, attackers use SSH on ESXi hosts to upload ransomware, forcibly power off all VMs, and encrypt VM files. This bypasses in-guest security.
Expert Insights
According to a report published by Google Threat Intelligence Group (GTIG), “UNC3944’s playbook requires a fundamental shift in defensive strategy, moving from EDR-based threat hunting to proactive, infrastructure-centric defense. This threat differs from traditional Windows ransomware in two ways: speed and stealth. While traditional actors may have a dwell time of days or even weeks for reconnaissance, UNC3944 operates with extreme velocity; the entire attack chain from initial access to data exfiltration and final ransomware deployment can occur in mere hours.”
Conclusion
The sophisticated tactics employed by Scattered Spider highlight the need for proactive, infrastructure-centric defense strategies. Organizations must prioritize monitoring and hardening their systems to detect and mitigate such advanced threats effectively.
Additional Resources
For further insights, check: