TZUTC: -0500   
   MSGID: 1284.consprcy@1:2320/105 2ced17cd   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Scattered Spider hackers are targeting US critical infrastructure via VMware   
   attacks   
      
   Date:   
   Mon, 28 Jul 2025 14:28:00 +0000   
      
   Description:   
   Scattered Spider has reportedly perfected social engineering, getting   
   privileged access in hours.   
      
   FULL STORY   
      
   The infamous ScatteredSpider ransomware group is using VMware instances to   
   target critical infrastructure organizations in the US, researchers have   
   warned.    
      
   Security researchers from Google Threat Intelligence Group (GITG) have found   
   the criminals are targeting critical infrastructure firms, but also retail,   
   airline, and insurance industries.    
      
   The campaign is described as sophisticated and aggressive, split into    
   multiple phases that last no longer than a couple of hours, the experts warn.   
      
   On the hunt for vCSA    
      
   In the campaign, the hackers do not exploit any vulnerabilities, but instead   
   go for aggressive, creative, and particularly skilled social engineering.    
   They first reach out to their victims IT desk, impersonating an employee, and   
   asking for a reset on the employees Active Directory account.    
      
   After gaining the initial foothold, they would scan the network to identify   
   high-value targets, such as domain names, VMware vSphere admins, and other   
   security departments that can grant them admin access into the virtual   
   environment.    
      
   Then, they would reach out to IT again, this time posing as a more privileged   
   user, again asking for a password reset - but for an account with higher   
   privileges.    
      
   From there, they look to access the VMware vCenter Server Appliance (vCSA), a   
   preconfigured Linux-based virtual machine that provides centralized    
   management for VMware vSphere environments, including the ESXi hypervisor.    
      
   This, in turn, allows them to enable SSH connections on ESXi hosts, resetting   
   root passwords.    
      
   From this point on, it is all about identifying and exfiltrating sensitive   
   information, in preparation for the deployment of an encryptor. Locking down   
   the entire network is the final stage of the attack, after which the victims   
   are pressured into paying a ransom demand.    
      
   GTIG says that the entire attack happens quickly, going from initial access    
   to ransomware deployment in mere hours, warning companies to tighten up on   
   their security across the board, and to use phishing-resistant MFA.    
      
    Via BleepingComputer   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/scattered-spider-hackers-are-targeting-   
   us-critical-infrastructure-via-vmware-attacks   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426