Scattered Spider Hits VMware ESXi with Precision Tactics

Scatter Spiders Network Attack

Scattered Spider is ramping up its attacks on virtual environments, focusing on VMware ESXi hypervisors. Their targets include major U.S. industries—retail, airlines, transportation, and insurance.

Instead of using exploits, this group depends on highly convincing social engineering to bypass even mature cyber defenses. Google Threat Intelligence Group (GTIG) warns that attackers mimic employees when calling help desks, manipulating staff into resetting passwords.

Once inside, they search internal systems for admin credentials and privileged access management (PAM) tools. Their goal? Gaining deep control of the network’s virtual infrastructure.

Full Control of Virtual Machines in Hours

After gaining initial access, Scattered Spider identifies key admin accounts. They impersonate these privileged users and make more calls to reset passwords. This method grants them elevated permissions and full access to VMware vCenter.

Using this access, they activate SSH on ESXi hosts and reset root credentials. The attackers then perform a disk-swap attack to steal sensitive Active Directory data, including the NTDS.dit file.

In this attack, the Domain Controller’s virtual disk is detached and mounted to an attacker-controlled machine. After the data is copied, the original system is restored—often unnoticed.

Once in control, they wipe backups and snapshots. Ransomware is then deployed via SSH to encrypt all virtual machines found in the environment.

Growing Risk for VMware Users

According to GTIG, the entire attack process—from password reset to ransomware—can take just a few hours. Scattered Spider avoids software vulnerabilities entirely and still gains complete administrative control.

These tactics were used in high-profile breaches like the MGM Resorts hack in 2023. Analysts warn that other ransomware groups may soon adopt similar methods.

The reason? Many companies poorly understand VMware’s complexity, leaving it under-defended.

Google recommends immediate action:

  • Harden vSphere with encryption, strict access controls, and SSH deactivation.
  • Apply phishing-resistant MFA and isolate Tier 0 systems from production.
  • Monitor for changes in admin groups, SSH usage, and vCenter activity via SIEM tools.
  • Maintain air-gapped backups and regularly test recovery procedures.

Despite arrests in the UK, Scattered Spider remains active. Their advanced impersonation skills make them a top threat to modern IT infrastructure.

Facebook
X
LinkedIn
Picture of Fredrik Bjoerklund
Fredrik Bjoerklund
Fredrik Björklund serves as the CEO of Eye World, bringing with him over two decades of experience in internet-based industries. With a strong background in Internet and Cybersecurity, Fredrik is recognized as a seasoned expert in digital risk management, online infrastructure, and the ever-evolving cybersecurity landscape. His deep understanding of the digital world positions him as a trusted voice in the industry. As part of his leadership role, Fredrik will take an active position in curating and reporting on global cybersecurity developments. He will regularly update the Eye News Section with the latest insights, emerging threats, and critical updates in the cybersecurity domain, ensuring readers are well-informed in an increasingly digital and vulnerable world.