Scattered Spider Hackers Exploit VMware ESXi Without Vulnerabilities
The hacker group Scattered Spider has intensified its attacks on U.S. companies in the retail, airline, transportation and insurance sectors by targeting VMware ESXi hypervisors. According to Google’s Threat Intelligence Group, the group bypasses mature security programs using advanced social engineering instead of exploiting software flaws. Attackers begin by impersonating employees in calls to IT help desks to reset Active Directory passwords, later escalating privileges to gain full control of VMware vSphere environments. With this access, they can enable SSH on ESXi hosts, reset root passwords, and execute “disk‑swap” attacks to extract critical Active Directory databases. Scattered Spider then wipes backup systems and deploys ransomware to encrypt virtual machines. Google warns that such attacks can unfold within hours, granting hackers unprecedented control over virtual infrastructures. To counter the threat, Google advises organizations to lock down vSphere configurations, enforce phishing‑resistant MFA, centralize logs in a SIEM, and maintain immutable, air‑gapped backups. Despite recent arrests by the UK’s National Crime Agency, Scattered Spider activity remains high.
