Leveraging calls to IT help desks to gain entry into enterprise networks, the Scattered Spider ransomware group has “leveled-up” to the point where they are now hacking into VMware ESXi servers in targeted attacks on the retail, airline, and transportation industries.In a July 23 blog post, the Google Threat Intelligence Group (GTIG) said the threat group does not rely on software exploits of zero-days. Instead, Scattered Spider uses a proven playbook centered on phone calls to an IT help desk.“The actors are aggressive, creative, and particularly skilled at using social engineering to bypass even security mature security programs,” said GTIG. “Their attacks are not opportunistic, but are precise, campaign-driven operations aimed at an organization’s most critical systems and data.”Rom Carmel, co-founder and CEO at Apono, said that Scattered Spider isn’t just back: they’ve leveled up.“This crew has now directly targeted VMware ESXi hypervisors, bypassing endpoint defenses and striking at the infrastructure layer,” said Carmel. “Their latest campaigns against North American retail, airline, and transportation sectors show a shift from account compromise to hypervisor control, using stolen credentials and relentless social engineering.”Carmel added that because they’re not relying on zero-days, these attacks are even more dangerous in the following ways:

“This isn’t smash-and-grab,” said Carmel.” It’s campaign-style cyber sabotage, with ransomware as just the final blow.”Nivedita Murthy, senior staff consultant at Black Duck, pointed out that there’s been a substantial increase in spear phishing attacks directed towards the help desk teams of organizations.“Help desk teams in organizations hold the keys to the first few doors of the kingdom based on how it is setup,” said Murthy. “If they don’t run tight controls, malicious attackers can use social engineering tactics to obtain credentials and mount the first stage of attack.”Murthy added that organizations should train their help desk teams to be on the lookout for signs of a malicious user trying to take advantage of the process and gaining access to resources they shouldn’t have. They should also work on configuring SIEMs to read through logs for any unexpected behavior EDRs that cannot cover all types of devices on the network.