Attacks have affected US government, retail and aviation
Scattered Spider, the hacking collective behind attacks on Marks & Spencer, Hawaiian Airlines and WestJet, is “aggressively” targeting VMware virtualised environments.
Google’s Threat Intelligence Group (GTIG) says UNC3944, a group that overlaps with Scattered Spider, is attacking VMware ESXi hypervisors at companies in the retail, airline, transportation and insurance sectors.
Although GTIG specifically discusses attacks in the USA cyber campaigns tend to spread quickly, so EU and UK customers should also be vigilant.
Scattered Spider’s modus operandi is to start attacks with social engineering, and that is also the case in this new campaign.
“The actors are aggressive, creative, and particularly skilled at using social engineering to bypass even mature security programmes,” said GTIG. “Their attacks are not opportunistic but are precise, campaign-driven operations aimed at an organisation’s most critical systems and data.”
The attack begins with a call to a company’s IT service desk, where the attacker poses as a specific employee. Their aim is to convince the agent to change that employee’s Active Directory password to obtain initial access.
From there they scan IT documentation for the names of high-value targets like vSphere administrators, working their way inward in an attempt to obtain access to the company’s VMware vCenter Server Appliance (vCSA).
The vCSA is a virtual machine that can be used to manage VMware vSphere environments, including the ESXi hypervisor.
If they aren’t stopped, the attackers can gain nearly full control of a company’s virtual machines – including wiping backup jobs and repositories – and deliver ransomware to encrypt all VM files they find.
Image
Description
The typical Scattered Spider attack chain. Source: Google
Without exploiting software vulnerabilities, Scattered Spider attackers can obtain “an unprecedented level of control over an entire virtualised environment, allowing them to bypass many traditional in-guest security controls,” a Google spokesperson told BleepingComputer.
Google also called out the group’s “extreme velocity”: the whole attack chain can take place over just a few hours.
“UNC3944’s playbook requires a fundamental shift in defensive strategy, moving from EDR-based threat hunting to proactive, infrastructure-centric defence.
“This threat differs from traditional Windows ransomware in two ways: speed and stealth.”
More and more ransomware groups have begun targeting ESXi hypervisors, Google notes. This may be because organisations rarely have a complete understanding of their VMware infrastructure, making it a weak point.
To help with that, GTIG advises the following steps:
- Proactive hardening of defences: Build for centralised access, enable vSphere lockdown mode and enforce execInstalledOnly.
- Identity and architectural integrity: Enforce MFA, isolate critical infrastructure and avoid authentication loops.
- Advanced detection and recovery: Build alerts that detect attempts to bypass previous hardening controls, centralise and monitor key logs, and focus on high-fidelity alerts.
“The threat is immediate, and the attack chain is proven,” writes Google. “Mandiant has observed that the successful hypervisor-level tactics leveraged by groups like UNC3944 are no longer exclusive; these same TTPs are now being actively adopted by other ransomware groups. This proliferation turns a specialised threat into a mainstream attack vector, making the time to act now.”
