Post

Scattered Spider Targets Vmware Esxi In

Posted
By 10alert
5 min read 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

---
title: "Scattered Spider's Advanced Social Engineering Attacks on VMware ESXi in North America"
categories: [Cybersecurity & Data Protection,Cyber Attacks]
description: "Discover how Scattered Spider targets VMware ESXi using sophisticated social engineering tactics, primarily through fake IT help desk calls, rather than traditional software exploits."
author: "Vitus"
date: 2025-07-28
tags: [cybersecurity, threat intelligence, vmware]
---

## TL;DR
The cybercrime group Scattered Spider is targeting VMware ESXi hypervisors in North America using social engineering tactics, primarily fake IT help desk calls. Their approach involves exploiting human vulnerabilities rather than software flaws, making their attacks highly effective and difficult to detect.

## Scattered Spider Targets VMware ESXi in North America Using Social Engineering

The cybercrime group [Scattered Spider](https://securityaffairs.com/179557/cyber-crime/qantas-confirms-customer-data-breach-amid-scattered-spider-attacks.html) (also known as [0ktapus](https://securityaffairs.com/134851/hacking/0ktapus-phishing-campaign.html), [Muddled Libra](https://securityaffairs.com/179782/data-breach/qantas-data-breach-impacted-5-7-million-individuals.html), [Octo Tempest](https://securityaffairs.com/wp-content/uploads/2013/07/cybercrime.jpg), and [UNC3944](https://securityaffairs.com/177974/cyber-crime/shields-up-us-retailers-scattered-spider-threat-actors.html)) has been targeting VMware ESXi hypervisors in the retail, airline, and transportation sectors across North America. According to Google's Mandiant team, the group employs social engineering tactics, primarily deceptive phone calls to IT help desks, rather than traditional software exploits.

## Living-Off-the-Land Approach

Scattered Spider utilizes a "living-off-the-land" (LotL) approach. After gaining access through social engineering, they abuse Active Directory to reach VMware vSphere, exfiltrate data, and deploy ransomware from the hypervisor. This method bypasses Endpoint Detection and Response (EDR) tools and leaves minimal signs of compromise. The LotL tactic is effective because the Virtual Center appliance and ESXi hypervisor cannot run traditional EDR agents, creating a significant visibility gap at the virtualization layer.

## Attack Chain Overview

The attack chain employed by Scattered Spider consists of five distinct phases:

### Phase 1: Initial Access
Scattered Spider begins by exploiting human vulnerabilities rather than software flaws. Using stolen personal data, they impersonate employees in calls to the IT help desk, requesting password resets for user and later, privileged administrator accounts. This social engineering tactic allows them to bypass traditional technical attacks and gain internal access.

Once inside, the group conducts dual reconnaissance:
- **Path A**: Scans internal documents (e.g., SharePoint, wikis) to identify admins and high-privilege AD groups like "vSphere Admins."
- **Path B**: Seeks access to secrets stored in password managers or Privileged Access Management (PAM) tools.

After identifying privileged users, they call again, impersonating them to gain full admin access. This leads to AD privilege escalation and sets the stage for attacks on VMware infrastructure. Detection relies on monitoring password resets, group membership changes, and unusual file access. Key mitigations include prohibiting phone-based resets for privileged accounts and hardening sensitive systems and documentation.

### Phase 2: Privilege Escalation
After gaining privileged AD credentials, attackers log into the vCenter GUI and reboot the VCSA to edit GRUB, granting root shell access. They reset the root password, enable SSH, and deploy *Teleport*, a legitimate remote access tool, as a persistent encrypted Command and Control (C2) channel. This grants stealthy control over the hypervisor. The method is effective due to the lack of Multi-Factor Authentication (MFA) and vCenter's inherent trust in AD.

### Phase 3: Data Exfiltration
Attackers exploit vSphere access to steal AD credentials offline. They enable SSH on ESXi hosts, power off the Domain Controller VM, detach its disk, mount it on an orphaned VM, and extract the NTDS.dit file. The data is then exfiltrated via Teleport C2. This stealthy method avoids EDR detection and bypasses segmentation. Key defenses include VM encryption, removing unused VMs, hardening ESXi access, and enabling remote audit logging.

### Phase 4: Backup Sabotage
Attackers sabotage backups before ransomware deployment by abusing Domain Admin access or adding users to "Veeam Administrators" in AD, deleting backup jobs and snapshots.

### Phase 5: Ransomware Deployment
In the final phase, attackers use SSH on ESXi hosts to upload ransomware, forcibly power off all VMs, and encrypt VM files. This bypasses in-guest security.

## Expert Insights

According to a [report](https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944/) published by Google Threat Intelligence Group (GTIG), "UNC3944’s playbook requires a fundamental shift in defensive strategy, moving from EDR-based threat hunting to proactive, infrastructure-centric defense. This threat differs from traditional Windows ransomware in two ways: speed and stealth. While traditional actors may have a dwell time of days or even weeks for reconnaissance, UNC3944 operates with extreme velocity; the entire attack chain from initial access to data exfiltration and final ransomware deployment can occur in mere hours."

## Conclusion
The sophisticated tactics employed by Scattered Spider highlight the need for proactive, infrastructure-centric defense strategies. Organizations must prioritize monitoring and hardening their systems to detect and mitigate such advanced threats effectively.

## Additional Resources
For further insights, check:
- [Google Threat Intelligence Group Report](https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944/)
- [Mandiant's Analysis on Scattered Spider](https://securityaffairs.com/177974/cyber-crime/shields-up-us-retailers-scattered-spider-threat-actors.html)

## References
[^1]: "Qantas confirms customer data breach amid Scattered Spider attacks" (2025). [Qantas confirms customer data breach amid Scattered Spider attacks](https://securityaffairs.com/179557/cyber-crime/qantas-confirms-customer-data-breach-amid-scattered-spider-attacks.html). Security Affairs. Retrieved 2025-07-28.
[^2]: "0ktapus phishing campaign" (2023). [0ktapus phishing campaign](https://securityaffairs.com/134851/hacking/0ktapus-phishing-campaign.html). Security Affairs. Retrieved 2025-07-28.
[^3]: "Qantas data breach impacted 5.7 million individuals" (2025). [Qantas data breach impacted 5.7 million individuals](https://securityaffairs.com/179782/data-breach/qantas-data-breach-impacted-5-7-million-individuals.html). Security Affairs. Retrieved 2025-07-28.
[^4]: "Shields up: US retailers face Scattered Spider threat actors" (2025). [Shields up: US retailers face Scattered Spider threat actors](https://securityaffairs.com/177974/cyber-crime/shields-up-us-retailers-scattered-spider-threat-actors.html). Security Affairs. Retrieved 2025-07-28.
[^5]: "Defending vSphere from UNC3944" (2025). [Defending vSphere from UNC3944](https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944/). Google Cloud. Retrieved 2025-07-28.
This post is licensed under CC BY 4.0 by the author.