Scattered Spider targets VMware ESXi in North America using social engineering, mainly fake IT help desk calls instead of software exploits.
The cybercrime group Scattered Spider (aka 0ktapus, Muddled Libra, Octo Tempest, and UNC3944) is targeting VMware ESXi hypervisors in retail, airline, and transportation sectors across North America. According to Google’s Mandiant team, the group uses social engineering, mainly deceptive phone calls to IT help desks, rather than software exploits.
Scattered Spider uses a “living-off-the-land” approach, upon gaining access via social engineering, they abuse Active Directory to reach VMware vSphere, exfiltrate data, and deploy ransomware from the hypervisor, bypassing EDR tools and leaving few signs of compromise.
The living-off-the-land (LotL) tactic is highly effective because the Virtual Center appliance and ESXi hypervisor can’t run traditional EDR agents, creating a major visibility gap at the virtualization layer.
The attack chain used by the cybercrime gang is composed of five distinct phases:
Phase 1: UNC3944 begins its attack by exploiting human vulnerabilities, not software flaws. Using stolen personal data, they impersonate employees in calls to the IT help desk and request password resets for user and later, privileged administrator accounts. This social engineering tactic allows them to bypass traditional technical attacks and gain internal access.
Once inside, the group conducts dual reconnaissance:
- Path A: Scans internal docs (e.g., SharePoint, wikis) to identify admins and high-privilege AD groups like “vSphere Admins.”
- Path B: Seeks access to secrets stored in password managers or PAM tools.
After identifying privileged users, they call again, impersonating them to gain full admin access. This leads to AD privilege escalation and sets the stage for attacks on VMware infrastructure. Detection relies on monitoring password resets, group membership changes, and unusual file access. Key mitigations include prohibiting phone-based resets for privileged accounts and hardening sensitive systems and documentation.
Phase 2: After gaining privileged AD credentials, attackers log into the vCenter GUI and reboot the VCSA to edit GRUB, granting root shell access. They reset the root password, enable SSH, and deploy Teleport, a legitimate remote access tool, as a persistent encrypted C2 channel. This grants stealthy control over the hypervisor. The method is effective due to lack of MFA and vCenter’s inherent trust in AD.
Phase 3: attackers exploit vSphere access to steal AD credentials offline. They enable SSH on ESXi hosts, power off the Domain Controller VM, detach its disk, mount it on an orphaned VM, and extract the NTDS.dit file. The data is then exfiltrated via Teleport C2. This stealthy method avoids EDR detection and bypasses segmentation. Key defenses include VM encryption, removing unused VMs, hardening ESXi access, and enabling remote audit logging.
Phase 4: attackers sabotage backups before ransomware by abusing Domain Admin access or adding users to “Veeam Administrators” in AD, deleting backup jobs and snapshots.
Phase 4: In the final phase, the attacker uses SSH on ESXi hosts to upload ransomware, forcibly powers off all VMs, and encrypts VM files. This bypasses in-guest security.
“UNC3944’s playbook requires a fundamental shift in defensive strategy, moving from EDR-based threat hunting to proactive, infrastructure-centric defense. This threat differs from traditional Windows ransomware in two ways: speed and stealth. While traditional actors may have a dwell time of days or even weeks for reconnaissance, UNC3944 operates with extreme velocity; the entire attack chain from initial access to data exfiltration and final ransomware deployment can occur in mere hours.” concludes the report published by Google Threat Intelligence Group (GTIG). “This combination of speed and minimal forensic evidence makes it essential to not just identify but to immediately intercept suspicious behavioral patterns before they can escalate into a full-blown compromise.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, cybercrime)