Scattered Spider Hijacks VMware Systems

Posted on By Finstein.ai No Comments on Scattered Spider Hijacks VMware Systems

Fake calls reset passwords for ransomware on ESXi, hitting U.S. aviation and infra.

The cybercrime group Scattered Spider also known as UNC3944, 0ktapus, Muddled Libra, and Octo Tempest is conducting targeted attacks on VMware ESXi hypervisors across North America’s retail, airline, and transportation sectors.

According to Google’s Mandiant, the group’s tactics rely heavily on social engineering, particularly phone-based impersonation of IT staff, to reset credentials via helpdesks. These attacks are highly organized, campaign-driven, and aimed at core infrastructure rather than opportunistic targets.

Once initial access is gained, the group uses a “living-off-the-land” approach — abusing trusted systems like Active Directory to move laterally into VMware vSphere environments. From there, they deploy persistent encrypted reverse shells using tools like Teleport, bypassing firewall rules.

The full attack chain follows five distinct phases:

  1. Initial Access & Escalation: Attackers gather IT documentation, support guides, and organization charts, and extract credentials from password managers like HashiCorp Vault or PAM systems. Additional calls are made to reset admin passwords.
  2. Lateral Movement: Using Active Directory mappings, they access vCenter Server Appliance (vCSA) and deploy persistent shell access.
  3. Data Extraction: They enable SSH on ESXi hosts, reset root passwords, and perform a “disk-swap” attack — detaching domain controller VM disks, mounting them to attacker-controlled VMs, copying the NTDS.dit AD database, then restoring the original setup.
  4. Disabling Recovery: Backup jobs, snapshots, and repositories are deleted to block recovery.
  5. Ransomware Deployment: Custom ransomware binaries are pushed via SCP/SFTP over SSH.

Google emphasizes the speed and stealth of these operations — complete compromise and ransomware deployment can occur in just a few hours.

Palo Alto Networks’ Unit 42 also observed that Scattered Spider has collaborated with Dragon Force (Slippery Scorpius) ransomware operators, including one case where over 100 GB of data was exfiltrated within two days.

As VMware vSphere 7 approaches its end-of-life in October 2025, attackers are exploiting the transition period to inflict maximum disruption across virtualized environments, with attacks capable of paralyzing entire infrastructures.

Security isn’t optional. Upgrade today. Defend tomorrow.

praveen@finstein.ai | https://cyber.finstein.ai/

Source : Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure

#ScatteredSpider#UNC394#MuddledLibra#OctoTempest#AdvancedThreats#APTGroup#RansomwareAttack#LivingOffTheLand#CyberEspionage#CredentialTheft

Hijack Systems Thinking Cybersecurity

Security

Related Posts

Could a copied File-Fix link be hiding malware? Security
Iranian Cyber Offensive Shows Unprecedented Coordination Cyber
Stealthy ‘Plague’ Backdoor Hits Linux Systems Security
Akira Targets SonicWall VPNs in Zero-Day Surge Security
Akira Targets SonicWall VPNs in Zero-Day Surge Security
India-Linked Group Targets Turkish Defense Security

Leave a Reply

Your email address will not be published. Required fields are marked *