- Google warns about the advanced social technical tactics of scattered
- The hackers get privileged access and use it to implement ransomware
- The group is targeting critical infrastructure, retailing, airline and other industries
The notorious spreader Ransomware Group uses VMware occurrences to target critical infrastructure organizations in the United States, researchers have warned.
Google Threat Intelligence Group (GitG) security researchers have found that criminals are aimed at critical infrastructure companies, but also retail, airline and insurance industries.
The campaign is described as “sophisticated and aggressive”, divided into several stages that last no longer than a few hours, the experts warn.
In search of VCSA
In the campaign, the hackers do not utilize any vulnerabilities, but go instead of “aggressive, creative and especially skilled” social technique. They first reach out to their victim’s IT desktop, mimic an employee and ask for a reset on the employee’s Active Directory account.
After gaining the initial foothold, they would scan the network to identify high-value goals, such as domain names, VMware VSPHERE administrators and other security departments that can give them administrator access to the virtual environment.
Then they reached out to it again, this time posing as a more privileged user, where they again asked for a password reset – but for an account of higher privileges.
From there, they look to access VMware VCENTER SERVER APPLIANCE (VCSA), a pre-configured Linux-based virtual machine that provides centralized control for VMware VSPHere environments, including the ESXI hypervisor.
This again allows them to activate SSH compounds on ESXI hosts and reset rodium passwords.
From this time, it is about identifying and ex -filtering sensitive information in preparation for implementing an encryption. Locking the entire network is the last phase of the attack, after which the victims are pressed to pay a ransom demand.
GIRL says the entire attack is happening quickly, goes from initial access to ransomware implementation in “mere hours,” companies warn to tighten up their security everywhere and use phishing-resistant MFA.
Via Bleeping computer
