- Google warns of the Advanced Social Engineering Tactics of ScatrteredSpider
- Computer pirates get privileged access and use it to implement ransomware
- The group is directed to the critical infrastructure, to retail trade, to the airlines and other industries
The infamous dispersion scattered ransomware is using VMware instances to address critical infrastructure organizations in the United States, the researchers warned.
The security researchers of the Google threat intelligence group (GITG) have found that criminals are pointing to critical infrastructure companies, but also to retail, airlines and insurance industries.
The campaign is described as “sophisticated and aggressive”, divided into multiple phases that do not last more than a couple of hours, experts warn.
In the search for VCSA
In the campaign, computer pirates do not exploit any vulnerability, but seek “aggressive, creative and particularly skilled social engineering. First they communicate with your victim’s desktop, they get through an employee and request a reset on the Active Directory account of the employee.
After obtaining the initial support point, they would scan the network to identify high value objectives, such as domain names, VMWare VSPHER administrators and other security departments that can grant administrative access to the virtual environment.
Then, they would communicate again, this time posing as a more privileged user, again asking for a password restart, but for an account with greater privileges.
From there, they seek to access the VMware VCenter Server (VCSA) device, a virtual machine prior to Linux based linux that provides centralized administration for VMware VSPHER environments, including the ESXI hypervisor.
This, in turn, allows them to enable SSH connections in ESXI hosts, restoring root passwords.
From this moment on, it is about identifying and exfiltrating confidential information, in preparation for the deployment of an encrucador. Blocking the entire network is the final stage of the attack, after which the victims are pressed to pay a rescue demand.
GTIG says that the entire attack occurs rapidly, passing from the initial access to the implementation of ransomware in “mere hours”, warning companies that harden in their safety in all areas and that they use MFA resistant to phishing.
Through Bleepingcomputer
