Particle.news

Download on the App Store

Arrests Disrupt Scattered Spider But Copycats Exploit VMware Hypervisors

A joint advisory warns that evolving social engineering tactics threaten virtual infrastructure with direct ransomware attacks.

Scattered Spider
Image
Scattered Spider Launching Ransomware on Hijacked VMware Systems, Google
Image

Overview

  • Recent U.K. arrests have led to a drop in Scattered Spider (UNC3944) operations but have prompted groups like UNC6040 to adopt similar methods
  • Google’s Threat Intelligence Group confirmed actors use phone-based impersonation to breach IT help desks, reset Active Directory credentials and map administrative systems
  • Threat actors bypass endpoint defenses by hijacking vCenter administrative access, deploying Teleport backdoors and executing ransomware directly on ESXi hosts
  • Attackers sabotage backup systems to delete jobs and repositories before exfiltrating data via Snowflake queries and cloud storage services such as MEGA.NZ and Amazon S3
  • The FBI, CISA, NCSC and allied agencies urge organizations to disable ESXi shell access, isolate backups and enforce phishing-resistant multi-factor authentication