Latest news with #ESXi
Axios
08-07-2025
- Business
- Axios
How Scattered Spider hackers are wrecking havoc on corporate America
A persistent hacking crew of young men and teenagers is back with a vengeance, wielding a two-year-old playbook to knock U.S. corporate systems offline. Why it matters: Scattered Spider hasn't had to evolve much to remain effective — a sign of how little corporate cybersecurity defenses have improved. The group's tactics, including help desk impersonation and SIM swapping, continue to wreak havoc across critical industries. Driving the news: Over the past month, Scattered Spider has been on a hacking spree that's disrupted operations at retailers, grocery chains, insurance providers, and airlines across the U.S., the U.K. and Canada. Their reach may also now extend into Australia, where Qantas is investigating a cyberattack on one of its call centers — a hallmark tactic of Scattered Spider. The big picture: Unlike most ransomware gangs, Scattered Spider isn't a monolithic, state-sponsored machine. It's a loose collective, largely made up of teenagers and young men who emerged from online gaming communities like Roblox and Minecraft. "Scattered Spider includes more people in Western countries than other ransomware groups," Cynthia Kaiser, senior vice president of Halcyon's Ransomware Research Center and a former top FBI cyber official, told Axios. But while originally rooted in English-speaking countries, it's evolved into a more global operation, she said. Breaking it down: The group operates like a business, with a leadership structure, junior associates and temporary roles. Some members' sole job is to call help desks and reset employee passwords. Adam Meyers, SVP of counter adversary operations at CrowdStrike, told Axios the group's origin lies in a toxic subset of gaming culture, where online harassment evolved into SIM swapping and eventually ransomware. Scattered Spider's core includes about four leaders, but its operations are interwoven with members of the broader online community " The Com," which has ties to cybercrime and real-world violence, experts said. How it works: The group's primary tactic remains voice-based phishing where they call a company's overseas help desk, impersonate an employee, and reset their single sign-on passwords. They then use SIM swapping to intercept multifactor-authentication codes. In recent incidents, the group has escalated attacks by targeting ESXi hypervisors — systems that power a company's servers and digital operations but often fly under the radar of traditional security tools. Once inside, they deploy ransomware and cripple the server environment. "They're ninjas with identity," Meyers said. "They know how to avoid modern security tools ... and they're incredibly fast — in some cases, there's less than 24 hours between gaining access to deploying ransomware." Meyers added that his team has identified seven unique voices calling help desks in recent months. Flashback: Scattered Spider first made headlines in 2023 with attacks on Las Vegas casinos, including MGM Resorts and Caesars Entertainment. Two years later, their methods remain largely unchanged. "It's largely the same, frankly," Meyers said. "Once they figure out one organization that they can successfully get into, then they go, 'We're here, who are their peers, who are their competitors, who else is there that we can perhaps go after?'" Threat level: Scattered Spider is now collaborating with Russian ransomware gangs, including those behind Play, Akira and DragonForce, Kaiser said. Between the lines: Despite the group's Western presence, law enforcement faces obstacles in tracking them down. Many members are minors, which gives them different legal protections, Meyers said. And if they have any mental health conditions, officials in some countries where the group operates are limited in how long they can hold them and what charges they can pursue. For instance, when authorities arrested members of the Lapsus$ hacking gang — another group involving juvenile offenders — prosecutors struggled to proceed against a 17-year-old despite clear evidence of major corporate breaches. Kaiser noted that identifying every member of Scattered Spider is difficult due to the group's sprawling, decentralized nature. The intrigue: Still, U.S. officials have made more arrests tied to Scattered Spider than to Russian ransomware crews. In November, five men were charged in connection with the group. The bottom line: outdated MFA methods like SMS and voice codes.
Forbes
02-07-2025
- Business
- Forbes
Hypervisor Ransomware: Why The C-Suite Can't Ignore MITRE ATT&CK V17
Austin Gadient is CTO & cofounder of Vali Cyber. Vali's product ZeroLock protects hypervisors and Linux systems from cyber attacks. A significant shift in cybersecurity guidance has emerged—one that leadership should have on their radar. MITRE ATT&CK v17 now formally includes VMware ESXi security, marking the first time hypervisors have been given dedicated attention in this influential framework. This update reframes hypervisor protection as not just a technical responsibility but a business-critical issue. For organizations relying on virtualized infrastructure, hypervisor ransomware protection is now directly tied to operational resilience, regulatory compliance and executive accountability. Why The Hypervisor Demands Executive Attention ESXi hypervisors form the core of many enterprise infrastructures, orchestrating virtual machines that power critical applications and house sensitive data. Yet hypervisor security has long been underprioritized—assumed to be out of reach for attackers or implicitly covered by other controls. That assumption no longer holds. MITRE ATT&CK v17 confirms what frontline security teams have seen for years: ESXi is under active attack. With the addition of a dedicated matrix for ESXi-specific tactics, the framework maps how adversaries gain access, move laterally and execute payloads directly at the hypervisor layer. For businesses, this marks a shift: hypervisor vulnerabilities now represent a tangible, auditable risk—one that demands immediate attention and clear mitigation. From Framework To Liability: What Executives Need To Know While MITRE ATT&CK isn't a regulatory framework, it has become the de facto blueprint for understanding and defending against modern threats. It guides how security teams prioritize controls, how auditors assess risk and how regulators evaluate preparedness. If your organization can't demonstrate awareness and mitigation of hypervisor security risks, it may be interpreted by auditors or regulators as a lapse in due diligence, particularly following a breach. Key business risks include: • Operational Downtime: A single compromised hypervisor can disable entire workloads. • Audit Gaps: Expect increased scrutiny around virtualization and hypervisor controls. • Response Delays: Many teams lack defined playbooks for hypervisor incident response. • Regulatory Pressure: Unaddressed ESXi vulnerabilities may be classified as preventable. Overlooking the hypervisor layer doesn't just introduce technical risk—it exposes the business to disruption, scrutiny and potential liability at the leadership level. A Strategic Approach To Hypervisor Security Addressing hypervisor ransomware prevention requires a shift in mindset. Just as endpoint and cloud security have evolved, hypervisor security best practices must now be established and operationalized. Executive leadership should work closely with security teams to ensure that the hypervisor layer is no longer treated as an architectural blind spot. Here are foundational steps organizations should take: • Implement access controls such as multi-factor authentication and role-based access to protect administrative interfaces. • Establish lockdown policies to restrict hypervisor-level command execution. • Deploy virtual patching to mitigate risk from unpatched or zero-day ESXi vulnerabilities. • Employ runtime security on the hypervisor to monitor for behavioral anomalies. • Map defenses to MITRE ATT&CK to strengthen security posture and facilitate audits. These measures not only reduce the risk of a successful attack but also demonstrate that your organization takes hypervisor threats seriously—and that leadership recognizes the shared responsibility across security, infrastructure and governance teams. Final Thoughts: What's Next The inclusion of ESXi in MITRE ATT&CK v17 has formally introduced the hypervisor into the risk conversation. For executive leadership, this is the time to challenge outdated assumptions, identify architectural blind spots and develop hypervisor security into the core of your cybersecurity strategy. Overlooking the hypervisor is no longer a technical omission but a strategic vulnerability. As ransomware tactics evolve, the associated risks are no longer theoretical. They are real, measurable and capable of inflicting significant operational and reputational damage. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
