U.S. companies across various industries are having their VMware ESXi environments subjected to increasingly aggressive attacks by the Scattered Spider ransomware operation, also known as Octo Tempest, 0ktapus, and UNC3944, reports BleepingComputer.
Intrusions commence with employee spoofing in an IT help desk call aimed at luring agents to replace the impersonated worker's Active Directory and secure initial access, which is then leveraged by Scattered Spider to facilitate concurrent network device and privileged access management solution scanning before then accessing the VMware vCenter Server Appliance, according to an analysis from the Google Threat Intelligence Group. Attackers then use the access to active ESXi hosts' SSH connections and conduct disk-swap intrusions before launching ransomware binaries, with the entire process completed in a matter of hours. Such a threat should prompt organizations to not only lock vSphere with execInstalledOnly, encryption, and deactivated SSH but also implement phishing-resistant multi-factor authentication and centralized SIEM logs.
Intrusions commence with employee spoofing in an IT help desk call aimed at luring agents to replace the impersonated worker's Active Directory and secure initial access, which is then leveraged by Scattered Spider to facilitate concurrent network device and privileged access management solution scanning before then accessing the VMware vCenter Server Appliance, according to an analysis from the Google Threat Intelligence Group. Attackers then use the access to active ESXi hosts' SSH connections and conduct disk-swap intrusions before launching ransomware binaries, with the entire process completed in a matter of hours. Such a threat should prompt organizations to not only lock vSphere with execInstalledOnly, encryption, and deactivated SSH but also implement phishing-resistant multi-factor authentication and centralized SIEM logs.
