- Google warns against advanced scortedspider advanced engineering tactics
- Hackers have privileged access and use it to deploy ransomware
- The group targets critical infrastructure, retail, airlines and other industries
The infamous dispersed ransomware group uses VMware bodies to target critical infrastructure organizations in the United States, researchers warned.
Google Threat Intelligence Group (GitG) security researchers found that criminals were targeting critical infrastructure companies, but also retail sectors, airlines and insurance companies.
The campaign is described as “sophisticated and aggressive”, divided into several phases which do not last more than a few hours, warn the experts.
Looking for VCSA
In the campaign, pirates do not exploit any vulnerability, but rather opt for social engineering “aggressive, creative and particularly qualified”. They first contact their victim’s computer office, pretending to be an employee and requesting reset on the employee Active Directory account.
After taking initial footing, they would scan the network to identify the high value objectives, such as domain names, VMware VSPhere administrators and other security services which can grant them administrative access to the virtual environment.
Then, they would contact him again, this time, pretending to be a more privileged user, asking again for a password reset – but for an account with higher privileges.
From there, they seek to access the VMware VCENTER Server (VCSA) device, a virtual machine based on preconfigured Linux which provides centralized management for vmware vSphere environments, including the ESXI hypervisor.
This, in turn, allows them to activate the SSH connections on ESXI hosts, reset the root passwords.
From this moment, it is a question of identifying and exfiltrating sensitive information, in preparation for the deployment of an encryptor. Locking the whole network is the last stage of the attack, after which the victims are in a hurry to pay a ransom request.
GTIG says that the whole attack occurs quickly, moving from the initial access to the deployment of ransomware in “a few hours”, warning companies to tighten their safety at all levels and to use the MFA resistant to phishing.
Via Bleeping Compompute
