Overview
- Recent U.K. arrests have led to a drop in Scattered Spider (UNC3944) operations but have prompted groups like UNC6040 to adopt similar methods
- Google’s Threat Intelligence Group confirmed actors use phone-based impersonation to breach IT help desks, reset Active Directory credentials and map administrative systems
- Threat actors bypass endpoint defenses by hijacking vCenter administrative access, deploying Teleport backdoors and executing ransomware directly on ESXi hosts
- Attackers sabotage backup systems to delete jobs and repositories before exfiltrating data via Snowflake queries and cloud storage services such as MEGA.NZ and Amazon S3
- The FBI, CISA, NCSC and allied agencies urge organizations to disable ESXi shell access, isolate backups and enforce phishing-resistant multi-factor authentication