The financially motivated hacking group Scattered Spider has been observed targeting VMware vSphere environments, taking full control of hypervisors, Google’s Threat Intelligence Group (GTIG) warns.
Active since early 2022 and also known as Muddled Libra, Scatter Swine, Starfraud, and UNC3944, the hacking group has been blamed for multiple high-profile attacks, including such as MGM Resorts’ infection with BlackCat (Alphv) ransomware, and the 0ktapus campaign that hit over 130 organizations.
Scattered Spider was responsible for the attacks against UK retailers Marks & Spencer (M&S), Co-op, and Harrods, in which the DragonForce ransomware was used. The group then switched focus to US retailers and then to the US insurance industry.
Although several members of the group have been charged and arrested, including a suspected leader, Scattered Spider has remained highly active, changing tactics to evade detection and remain successful.
A fresh report from GTIG focuses on the group’s vSphere-centric attacks, showing how the hackers are pivoting from Active Directory to vSphere to steal data and deploy ransomware directly from the hypervisor, bypassing security tools that have limited or no visibility into the ESXi hypervisor and vCenter Server Appliance (VCSA).
According to Google, the threat actors move from a low-level foothold to complete hypervisor control methodically, across five phases: initial access, reconnaissance, and privilege escalation; vCenter control pane compromise; hypervisor heist; backup sabotage; and ransomware execution.
Impersonating an organization’s employee, Scattered Spider members call the IT help desk and rely on social engineering to reset the employee’s Active Directory password. Using this access, they harvest information to identify administrators and weak access controls, and then call the help desk again, to reset the password for the admin account.
Armed with harvested Active Directory to vSphere credentials, the attackers gain virtual physical access to the VCSA, change the root password, enable SSH access, and deploy the open source remote access tool Teleport to create a persistent, encrypted reverse shell.
With SSH enabled on the ESXi hosts and their root passwords reset, the attackers then target a Domain Controller VM, power it off and detach its virtual disk, which they attach to a VM they control to extract the Active Directory database, and then reattach.
Next, the attackers use their Active Directory access to delete backup jobs, snapshots, and repositories, to prevent recovery, and then use SSH access to the ESXi hosts to deploy ransomware. Before executing the malware to encrypt VM files, they power off every VM on the host.
To mitigate these attacks, organizations are advised to manage hosts through vCenter roles and permissions, enable vSphere lockdown mode, enforce execInstalledOnly to prevent ransomware execution, encrypt Tier 0 virtualized assets, practice strict infrastructure hygiene, implement continuous vSphere posture Management (CPM), and implement an in-person, multi-factor verification process for MFA enrollment or password resets.
Enforcing phishing-resistant MFA, isolating critical identity infrastructure, avoiding authentication loops, adding an alternate identity provider (IdP) alongside AD, hardening controls, monitoring logs, prioritizing alerts, and isolating backups from production AD will also help prevent compromise.
“UNC3944’s playbook requires a fundamental shift in defensive strategy, moving from EDR-based threat hunting to proactive, infrastructure-centric defense. […] While traditional actors may have a dwell time of days or even weeks for reconnaissance, UNC3944 operates with extreme velocity; the entire attack chain from initial access to data exfiltration and final ransomware deployment can occur in mere hours,” Google notes.
Related: Hawaiian Airlines Hacked as Aviation Sector Warned of Scattered Spider Attacks
Related: Suspected Scattered Spider Hacker Pleads Guilty
Related: Recently Charged Scattered Spider Suspect Did Poor Job at Covering Tracks
Related: Clorox Sues Cognizant for $380 Million Over 2023 Hack
