The latest research report highlights a shift in Scattered Spider’s tactics—from exploiting Active Directory to compromising VMware’s vCenter infrastructure. The attackers begin by impersonating employees and calling IT help desks to reset passwords, gradually gaining administrative access. With these credentials, they infiltrate the vCenter Server, reset root passwords on ESXi hosts, enable SSH, and deploy the open-source remote access tool Teleport to establish encrypted, persistent access. They then detach the virtual disk of a Domain Controller VM, extract the Active Directory database, and reattach the disk—effectively exfiltrating sensitive identity data.

To maximize impact, the group sabotages recovery mechanisms by deleting snapshots, backup jobs, and repositories. They proceed to power off all virtual machines before executing ransomware directly from the ESXi hypervisors. This method bypasses conventional endpoint detection and response (EDR) tools, which lack visibility into the hypervisor layer. The entire attack chain—from initial access to ransomware deployment—can unfold in just a few hours, showcasing the group’s speed and coordination.

Researchers urges organizations to adopt infrastructure-centric security strategies to counter these evolving threats. Recommended defenses include enforcing vSphere lockdown mode, applying role-based access controls, encrypting Tier 0 assets, isolating backups from production systems, implementing phishing-resistant multi-factor authentication (MFA), and verifying identity-related requests through in-person validation. As Scattered Spider continues to operate with high velocity and technical sophistication, a proactive and hardened security posture is essential.

Impact

• Unauthorized Access
• Data Exfiltration
• Operational Disruption
• Sensitive Information Theft

Remediation

• Enforce vSphere lockdown mode to restrict direct access to ESXi hosts, reducing the attack surface.
• Use role-based access controls to ensure only authorized users have the minimum necessary permissions.
• Enable execInstalledOnly to prevent the execution of unapproved scripts or binaries on the host.
• Encrypt Tier 0 assets to secure sensitive virtual machines and protect critical data at rest.
• Isolate backups from production Active Directory environments to prevent attackers from tampering with or deleting recovery points.
• Implement phishing-resistant MFA to block unauthorized access attempts using stolen credentials or social engineering.
• Require in-person MFA verification for password resets to eliminate remote abuse of help desk procedures.
• Monitor vSphere and ESXi logs regularly to detect suspicious behavior and early signs of compromise.
• Harden Active Directory access to prevent privilege escalation and unauthorized account manipulation.
• Add an alternate identity provider alongside Active Directory to diversify authentication paths and reduce reliance on a single system.
• Continuously manage vSphere posture to identify and remediate configuration weaknesses proactively.
• Avoid authentication loops that attackers can exploit to move between systems and escalate privileges.