π July 28th, 2025β|ββ± 5 min readβ|βπ Category: Cyber Attack / Ransomware
In a concerning escalation of cyber threats, the cybercrime group known as Scattered Spider has set its sights on VMware ESXi hypervisors, targeting critical sectors such as retail, airline, and transportation across North America. Known for their precision and campaign-driven operations, Scattered Spider’s attacks are not opportunistic but are aimed at an organization’s most vital systems and data.
The Playbook of Scattered Spider
The group, also referred to as 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, employs advanced social engineering tactics to gain initial access to victim environments. They then adopt a “living-off-the-land” (LotL) approach, manipulating trusted administrative systems and leveraging control of Active Directory to pivot to the VMware vSphere environment. This method, which facilitates data exfiltration and ransomware deployment directly from the hypervisor, is highly effective as it bypasses security tools and leaves minimal traces of compromise.
The Attack Chain Unveiled
The attack unfolds over five distinct phases:
- Initial Compromise and Escalation: The attackers harvest information related to IT documentation, support guides, and vSphere administrators. They impersonate high-value administrators to request password resets and gain control of accounts.
- Pivoting to Virtual Environments: Using mapped Active Directory to vSphere credentials, they gain access to VMware vCenter Server Appliance (vCSA) and execute teleport to create a persistent reverse shell.
- SSH Connections and Disk-Swap Attack: They enable SSH connections on ESXi hosts, reset root passwords, and execute a “disk-swap” attack to extract the NTDS.dit Active Directory database.
- Inhibiting Recovery: The attackers delete backup jobs, snapshots, and repositories to prevent recovery.
- Ransomware Deployment: Using SSH access, they push their custom ransomware binary via SCP/SFTP.
The Need for a Shift in Defensive Strategy
Google’s Mandiant team emphasizes the need for a fundamental shift in defensive strategy, moving from EDR-based threat hunting to proactive, infrastructure-centric defense. Scattered Spider’s attacks are characterized by speed and stealth, with the entire infection sequence from initial access to ransomware deployment occurring within a few hours.
Partnering with DragonForce
Palo Alto Networks Unit 42 reports that Scattered Spider has partnered with the DragonForce ransomware program, exfiltrating over 100 GB of data in a two-day period. This collaboration underscores the group’s sophistication and the urgent need for robust defenses.
Recommended Protective Measures
To counter such threats, organizations are advised to implement three layers of protection:
- Harden vSphere Environment: Enable vSphere lockdown mode, enforce execInstalledOnly, use vSphere VM encryption, decommission old VMs, and harden the help desk.
- Strengthen Authentication: Implement phishing-resistant multi-factor authentication (MFA), isolate critical identity infrastructure, and avoid authentication loops.
- Centralize Monitoring and Backup: Centralize and monitor key logs, isolate backups from production Active Directory, and ensure they are inaccessible to compromised administrators.
The Impending End-of-Life for VMware vSphere 7
With VMware vSphere 7 approaching end-of-life in October 2025, Google urges organizations to re-architect their systems with security in mind. Ransomware targeting vSphere infrastructure poses a severe risk due to its potential for immediate and widespread infrastructure paralysis.
The failure to proactively address these interconnected risks by implementing recommended mitigations will leave organizations vulnerable to targeted attacks that can swiftly cripple their entire virtualized infrastructure, leading to operational disruption and financial loss.
Written by: Jack Hultgren
Cyberix
