We hear all the time that cyber attackers no longer hack, but simply log in. This is because it is true. However, the example of Scattered Spider shows how sophisticated the top threat actors are. Social engineering is the key to the ESXi hypervisor, with all the consequences that entails.
Last week, Google’s Threat Intelligence Group published new information about UNC3944, a hacker group believed to be the same entity as Scattered Spider, Octo Tempest, and Oktapus. It is a notorious attacker with prominent victims including the Las Vegas casinos and Snowflake. The group’s most recent attack campaign targets various industries, mainly in North America. Once again, its modus operandi is clear: deception via a fake help desk, followed by a digital bridge from Azure Active Directory to VMware vSphere and the ESXi hypervisor.
From help desk to hypervisor
UNC3944, Scattered Spider, Octo Tempest, etc., distinguishes itself from generic attackers through its methodical approach. The seasoned strategy begins with a phone call to the IT help desk of a target company. By posing as an employee and using personal information from previous data breaches, the group manages to reset passwords.
Once inside, the group scans SharePoint sites and network drives for IT documentation. They look for names of administrators and security groups such as “vSphere Admins” or “ESX Admins.” With this knowledge, the attackers call the help desk again, now as a privileged user, for further escalation.
Read also: Microsoft SharePoint zero-day: what we know so far
The group works extremely quickly. Where traditional ransomware attacks take days or weeks, UNC3944 can go from initial access to complete encryption within hours. This speed makes detection extremely difficult, as the Google research team emphasizes.
VCSA as a conduit
With compromised Active Directory credentials, the group logs into vCenter Server. From there, the attackers gain what is known as “virtual physical access” to the VCSA itself. By restarting the system and changing the GRUB bootloader (init=/bin/bash), they then gain root access without a password.
The group then installs Teleport, a legitimate remote access tool. This creates an encrypted reverse shell that bypasses firewall rules. In this way, the attacker gains the ever-coveted persistent access. The VCSA thus functions as a conduit for data exfiltration, rendering network segmentation useless.
Mandiant reports that this approach exploits the fundamental trust relationship between vCenter and Active Directory. MFA is often missing from vCenter logins via LDAP(S), making stolen credentials immediately usable.
Offline credential theft
The most disturbing phase involves “hypervisor heist”: offline theft of credentials. UNC3944 enables SSH on ESXi hosts and resets root passwords. They identify a Domain Controller VM, disable it, and detach the virtual disk.
This disk is attached to a forgotten or “orphaned” VM that they control. From there, they copy the NTDS.dit Active Directory database. Afterward, everything is rolled back as if nothing had happened.
This process is completely invisible to EDR software running within the Domain Controller’s operating system. The attack takes place at the hypervisor level, where traditional security tools have no visibility. ESXi is extremely difficult to secure as a hypervisor, especially when there is a direct connection between Active Directory and vSphere.
Before encryption begins
With full AD control, Scattered Spider then focuses on the backup infrastructure. After all, there is little reason to negotiate or pay ransomware if the victims can restore their systems. The group gains access to backup systems via RDP or by adding users to “Veeam Administrators” groups. All backup jobs, snapshots, and repositories are deleted.
By encrypting at the hypervisor level, the attack group bypasses all in-guest security. Root access on ESXi shells is therefore the highest privilege level in virtual environments. In other words, attackers who achieve a compromise at this level have virtually free rein.
ESXi ransomware is by no means a new phenomenon, but UNC3944’s approach is. They push their payload to ESXi hosts via SSH, use vim-cmd to force all VMs to shut down, and then launch the ransomware. This proves once again that the appeal of a popular hypervisor is also its Achilles’ heel when it comes to the ongoing patching of vulnerabilities.
Three pillars of defense
Mandiant proposes a three-pronged defense. Proactive hardening forms the foundation: lockdown mode for ESXi, execInstalledOnly policy for unsigned binaries, and VM encryption for critical assets. Identity and architecture are the second pillar. Phishing-resistant MFA for all systems, isolation of critical infrastructure, and avoidance of authentication loops where AD secures itself. Advanced detection (or Extended Detection, the XD in XDR) is the last line of defense. Centralized logging of AD, vCenter, ESXi, and backup systems. Correlation between these sources creates what is known as high-fidelity alerting, enabling early detection.
UNC3944 is already proving to be a trendsetter. Instead of software exploits, it relies on human factors and abuse of trust relationships. The “living-off-the-land” approach leaves as few traces as possible. But its social engineering potential is particularly high. This is what you might call the “X factor” of the group and is by far the most difficult to defend against. After all, having well-prepared staff and instructing IT help desks to be cautious when restoring accounts quickly leads to extra friction and frustration for employees.
Nevertheless, the pressure on Scattered Spider is increasing, which means that the group itself may no longer be the threat it once was. Without the members who were arrested last year, it is conceivable that the group, with all its names, will disappear. We have seen this before with Conti, LockBit, and many other once powerful groups. However, not all individuals are arrested, and their sophisticated knowledge is preserved under new code names.