Scattered Spider hackers have been aggressively targeting virtualized environments by attacking VMware ESXi hypervisors at U.S. companies in the retail, airline, transportation, and insurance sectors.
According to the Google Threat Intelligence Group (GITG), the attackers keep employing their usual tactics that do not include vulnerability exploits but rely on perfectly executed social engineering "to bypass even mature security programs."
A Scattered Spider attack
The researchers say that the gang starts an attack by impersonating an employee in a call to the IT help desk. The threat actor's purpose is to convince the agent to change the employee's Active Directory password and thus obtain initial access.
This allows Scattered Spider to scan the network devices for IT documentation that would provide high-value targets, like the names of domain or VMware vSphere administrators, and security groups that can provide administrative permissions over the virtual environment.
At the same time, they scan for privileged access management (PAM) solutions that could hold sensitive data useful for moving to valuable network assets.
"Armed with the name of a specific, high-value administrator, they make additional calls to the help desk. This time, they impersonate the privileged user and request a password reset, allowing them to seize control of a privileged account" - Google Threat Intelligence Group
The hackers then work their way to obtain access to the company's VMware vCenter Server Appliance (vCSA) - a virtual machine that allows managing VMware vSphere environments, which includes the ESXi hypervisor for managing all the virtual machines on a physical server.
This level of access allows them to enable SSH connections on ESXi hosts and reset the root passwords. Further, they execute a so-called “disk-swap” attack to extract the critical NTDS.dit database for the Active Directory.
A disk-swap attack occurs when the threat actors powers off a Domain Controller virtual machine (VM) and dettaches its virtual disk only to attach it to another, unmonitored VM they control. After copying the sensitive data (e.g NTDS.dit file), they revert the process and power on the domain controller machine.
... continue reading