A new cyber-threat has emerged from the Scattered Spider hackers, where the group of (mostly young) miscreants has been aggressively targeting virtualised environments. This is primarily by attacking VMware ESXi hypervisors, as Bleeping Computing reports, with many of the targets being U.S. companies in the retail, airline, transportation, and insurance sectors.
According to the Google Threat Intelligence Group: “Armed with the name of a specific, high-value administrator, they make additional calls to the help desk. This time, they impersonate the privileged user and request a password reset, allowing them to seize control of a privileged account.”
To learn more about this emergent risk to the business sector, Digital Journal canvassed the views of Ronen Ahdut, Head of Cyops at Cynet.
Ahdut sets out the primary operating motive of the hackers: “Unlike many recent threat actor campaigns, Scattered Spider’s operations elevate social engineering to a new level of precision and boldness. Rather than exploiting software vulnerabilities, these actors manipulate human trust in real time, often impersonating employees via live Teams calls or chats to convince IT and help desk staff to reset MFA or Active Directory credentials.”
To get away with direct communication, the hackers need to be convincing to their targeted victims. Ahdut explains how this is achieved: “This approach is strengthened by the group’s fluency in English and deep familiarity with U.S. and U.K. corporate environments. Recent arrests underscore this: one U.S.-based member was charged in Florida for SIM-swapping and identity theft, while the alleged leader, a 22-year-old U.K. resident, was apprehended in Spain (Source 1, Source 2). Despite these developments, the group remains active, continuing to target VMware ESXi hypervisors and other critical infrastructure.”
Hypervisor
VMware ESXi is an enterprise-class, type-1 hypervisor, used for deploying and serving virtual computers. A hypervisor is a type of computer software, firmware or hardware that creates and runs virtual machines.
As to what is especially vulnerable about ESXi, Ahdut states: “ESXi appliances are particularly attractive to threat actors because they host the virtual machines that power core business operations. Compromising them allows attackers to exfiltrate or encrypt entire environments, causing widespread disruption. Moreover, ESXi systems are often under-monitored, making them ideal pivot points for lateral movement and stealthy persistence. This combination of operational impact and low visibility makes them a high-value target in modern ransomware campaigns.”
What can be done?
How to challenge this threat? Ahdut advises: “To counter threats like Scattered Spider, defenders must expand their view of the attack surface to include both technical systems and human behaviour. These actors blend social engineering with technical skill, making identity-centric security, layered verification, and Zero Trust principles essential, even within internal environments.”
Ahdut further advises: “Traditional controls like patching and segmentation remain important, but resilience increasingly hinges on anticipating and disrupting human-driven intrusion paths. The front line isn’t just code—it’s people, processes, and the policies that bind them.”
