Bill Toulas reports:
Scattered Spider hackers have been aggressively targeting virtualized environments by attacking VMware ESXi hypervisors at U.S. companies in the retail, airline, transportation, and insurance sectors.
According to the Google Threat Intelligence Group (GITG), the attackers keep employing their usual tactics that do not include vulnerability exploits but rely on perfectly executed social engineering “to bypass even mature security programs.”
The researchers say that the gang starts an attack by impersonating an employee in a call to the IT help desk. The threat actor’s purpose is to convince the agent to change the employee’s Active Directory password and thus obtain initial access.
This allows Scattered Spider to scan the network devices for IT documentation that would provide high-value targets, like the names of domain or VMware vSphere administrators, and security groups that can provide administrative permissions over the virtual environment.
Read more at Bleeping Computer.