![\"\"](\".\/media_1d6c08fed2f9dd7cb52e836ffbd4875868636370c.jpg?width=750&format=jpg&optimize=medium\")
<\/p>\nAttacks have affected US government, retail and aviation<\/p>\n
<\/p>\n
Scattered Spider, the hacking collective behind attacks on Marks & Spencer<\/a>, Hawaiian Airlines and WestJet<\/a>, is \u201caggressively\u201d targeting VMware virtualised environments.<\/p>\n Google\u2019s Threat Intelligence Group (GTIG) says<\/a> UNC3944, a group that overlaps with Scattered Spider, is attacking VMware ESXi hypervisors at companies in the retail, airline, transportation and insurance sectors.<\/p>\n Although GTIG specifically discusses attacks in the USA cyber campaigns tend to spread quickly, so EU and UK customers should also be vigilant.<\/p>\n Scattered Spider\u2019s modus operandi is to start attacks with social engineering, and that is also the case in this new campaign.<\/p>\n “The actors are aggressive, creative, and particularly skilled at using social engineering to bypass even mature security programmes,\u201d said GTIG. \u201cTheir attacks are not opportunistic but are precise, campaign-driven operations aimed at an organisation’s most critical systems and data.\u201d<\/p>\n The attack begins with a call to a company\u2019s IT service desk, where the attacker poses as a specific employee. Their aim is to convince the agent to change that employee\u2019s Active Directory password to obtain initial access.<\/p>\n From there they scan IT documentation for the names of high-value targets like vSphere administrators, working their way inward in an attempt to obtain access to the company’s VMware vCenter Server Appliance (vCSA).<\/p>\n The vCSA is a virtual machine that can be used to manage VMware vSphere environments, including the ESXi hypervisor.<\/p>\n If they aren\u2019t stopped, the attackers can gain nearly full control of a company\u2019s virtual machines \u2013 including wiping backup jobs and repositories \u2013 and deliver ransomware to encrypt all VM files they find.<\/p>\n Image<\/p>\n Description<\/p>\n The typical Scattered Spider attack chain. Source: Google<\/p>\n Without exploiting software vulnerabilities, Scattered Spider attackers can obtain \u201can unprecedented level of control over an entire virtualised environment, allowing them to bypass many traditional in-guest security controls,\u201d a Google spokesperson told BleepingComputer<\/a>.<\/p>\n Google also called out the group\u2019s \u201cextreme velocity\u201d: the whole attack chain can take place over just a few hours.<\/p>\n “UNC3944’s playbook requires a fundamental shift in defensive strategy, moving from EDR-based threat hunting to proactive, infrastructure-centric defence.<\/p>\n \u201cThis threat differs from traditional Windows ransomware in two ways: speed and stealth.”<\/p>\n More and more ransomware groups have begun targeting ESXi hypervisors, Google notes. This may be because organisations rarely have a complete understanding of their VMware infrastructure, making it a weak point.<\/p>\n![\"\"](\".\/media_15e6ad03a99b4b78d821d02e410aaab7008292054.png?width=750&format=png&optimize=medium\")
<\/p>\n