Google Threat Intelligence Group (GTIG) warns about highly sophisticated and aggressive cyber attacks by the Scattered Spider threat actors on critical infrastructure.
According to GTIG, the threat group leverages social engineering tactics to breach domain user accounts and gain administrative privileges before pivoting to virtualized environments, such as VMware.
Google assessed that pivoting to the hypervisor to exfiltrate organizations’ most critical data was highly efficient, as it easily allowed the threat actor to cover their tracks.
“This method is highly effective as it generates few traditional indicators of compromise (IoCs) and bypasses security tools like endpoint detection and response (EDR), which often have limited or no visibility into the ESXi hypervisor and vCenter Server Appliance (VCSA),” Google wrote.
Google warned that Scattered Spider cybercriminals move methodically in a five-stage process, from obtaining a low-level persistence by exploiting the human element to completely controlling the hypervisor, exfiltrating data, and deploying ransomware.
How Scattered Spider’s cyber attacks on critical infrastructure unfold
Google stated that the cyber attacks begin with social engineering, which involves calling an IT help desk while impersonating an employee and requesting a password reset for their Active Directory account.
During the call, they employ various strategies, including leveraging information about past data breaches and using persuasion and intimidation tactics to build rapport with the help desk staff.
“Scattered Spider has shown that the weakest link in a modern hybrid cloud is still the human who answers the help desk phone,” stated Jason Soroko, Senior Fellow at Sectigo. “By taking advantage of corporate familiarity rituals such as identity verification questions and extension dialing trees, the group sidesteps agent-based defense layered within virtual machines and walks straight into the hypervisor.”
Upon gaining access, they access SharePoint sites, network drives, and IT documentation to identify high-value targets, including Domain or vSphere administrators. They also scan for explicitly named Active Directory security groups to gain administrative rights over the virtual environment.
Concurrently, they also scan for password managers such as HashiCorp Vault or other Privileged Access Management (PAM) solutions and attempt to enumerate them for credentials.
After accessing this information, they impersonate a high-value administrator and make additional calls for a password reset, allowing them to take over the privileged account completely.
Google noted that employing social engineering tactics allows Scattered Spider threat actors to compromise critical infrastructure without the need for technical hacking like kerberoasting.
“The actors are aggressive, creative, and particularly skilled at using social engineering to bypass even mature security programs,” noted GTIG.
“Scattered Spider is proving that breaches don’t always start with technical exploits,” added James McQuiggan, Security Awareness Advocate at KnowBe4. “They start with a phone call. As they continue to use social engineering to impersonate employees, trick help desks, and gain access to user accounts, they are leveraging the human trust and lack of awareness of users who fall victim to this attack style to gain access and launch their ransomware attacks.”
After mapping the Active Directory to vSphere credentials, the threat actors pivot to the virtual environment by using the compromised credentials to log into the vSphere vCenter Server.
Leveraging their vCenter Admin rights, they reboot the appliance and edit the GRUB bootloader to gain passwordless access.
They subsequently edit the root password to enable SSH connection. This usually occurs after performing a disk swap and editing the NTDS.dit file during the power-off state before reconnecting the disk.
“An unsettling aspect of their playbook is its deliberate erasure of forensic breadcrumbs,” added Soroko. “Disk swap extraction of the Active Directory database happens while the domain controller is powered off, which starves logging agents of visibility.”
They also install Teleport, a remote access tool, to create an encrypted reverse shell to maintain persistence and bypass firewalls.
Having defeated all endpoint and virtual environment defenses, the Scattered Spider threat actors deploy ransomware and exfiltrate the most important data from critical infrastructure and other organizations.
Before exfiltration and encryption, Scatterered Spider wipes data backups, repositories, snapshots, and jobs to ensure that critical infrastructure and other organizations cannot recover without paying a ransom.
Critical infrastructure to secure VMware environment
Subsequently, Google advised critical infrastructure and other organizations to employ various security best practices to thwart Scattered Spider cyber attacks.
They include enabling vSphere lockdown mode, managing hosts via the vCenter roles and permissions, enforcing execInstalledOnly permissions to prevent ransomware deployment, encrypting Tier 0 virtualized assets, implementing continuous vSphere posture Management (CPM), and practising strict infrastructure hygiene.
“Scattered Spider’s targeting of VMware ESXi environments marks a concerning escalation in their tactics, especially given the central role ESXi hypervisors play in enterprise infrastructure,” warned Ensar Seker, CISO at SOCRadar. “What makes this campaign particularly dangerous is not zero-day exploits or novel malware, but the sheer precision of their social engineering.”

