Ransomware, Critical Infrastructure Security, Threat Intelligence

Scattered Spider targets ESXi servers in retail, transportation sectors

Robotic spiders invade circuit board; digital attack background

(Adobe Stock)

Leveraging calls to IT help desks to gain entry into enterprise networks, the Scattered Spider ransomware group has “leveled-up” to the point where they are now hacking into VMware ESXi servers in targeted attacks on the retail, airline, and transportation industries.

In a July 23 blog post, the Google Threat Intelligence Group (GTIG) said the threat group does not rely on software exploits of zero-days. Instead, Scattered Spider uses a proven playbook centered on phone calls to an IT help desk.

“The actors are aggressive, creative, and particularly skilled at using social engineering to bypass even security mature security programs,” said GTIG. “Their attacks are not opportunistic, but are precise, campaign-driven operations aimed at an organization’s most critical systems and data.”

Rom Carmel, co-founder and CEO at Apono, said that Scattered Spider isn’t just back: they’ve leveled up.

“This crew has now directly targeted VMware ESXi hypervisors, bypassing endpoint defenses and striking at the infrastructure layer,” said Carmel. “Their latest campaigns against North American retail, airline, and transportation sectors show a shift from account compromise to hypervisor control, using stolen credentials and relentless social engineering.”

Carmel added that because they’re not relying on zero-days, these attacks are even more dangerous in the following ways:

  • There’s no malware required for initial access.
  • The attackers leverage living-off-the-land persistence that blends into legitimate admin activity.
  • They execute backup destruction and root access to hypervisors, ensuring no easy recovery.

“This isn’t smash-and-grab,” said Carmel.” It’s campaign-style cyber sabotage, with ransomware as just the final blow.”

Nivedita Murthy, senior staff consultant at Black Duck, pointed out that there’s been a substantial increase in spear phishing attacks directed towards the help desk teams of organizations.

“Help desk teams in organizations hold the keys to the first few doors of the kingdom based on how it is setup,” said Murthy. “If they don’t run tight controls, malicious attackers can use social engineering tactics to obtain credentials and mount the first stage of attack.”

Murthy added that organizations should train their help desk teams to be on the lookout for signs of a malicious user trying to take advantage of the process and gaining access to resources they shouldn’t have. They should also work on configuring SIEMs to read through logs for any unexpected behavior EDRs that cannot cover all types of devices on the network.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Account HarvestingDeauthentication AttackDefacementDenial of ServiceDictionary AttackDistributed ScansDomain HijackingInformation WarfarePassword CrackingReconnaissance

You can skip this ad in 5 seconds