Scattered Spider's VMware ESXi Attacks: Tactics, Impact, and Defense Strategies

The cybercrime group Scattered Spider has intensified attacks targeting VMware ESXi hypervisors across U.S. retail, airline, transportation, and insurance sectors, according to recent threat intelligence reports¹. The group, linked to DragonForce ransomware operations, combines social engineering with ESXi-specific exploits like CVE-2024-37085 and the bedevil rootkit to disable security controls and encrypt virtualized environments².

Attack Chain and Technical Execution

Scattered Spider’s campaign follows a multi-phase approach. Initial access is typically gained through help desk impersonation or MFA fatigue attacks, as documented by Cyberint¹. Once inside the network, attackers use stolen Active Directory credentials to move laterally, targeting ESXi hosts with a combination of known vulnerabilities and custom tools. The group has been observed exploiting CVE-2024-37085, an authentication bypass in VMware ESXi, to deploy the bedevil rootkit and disable endpoint detection systems¹.

Picus Security’s analysis of DragonForce ransomware attacks reveals specific techniques used against retail targets like Marks & Spencer and Co-op². In these cases, attackers extracted NTDS.dit files for credential harvesting before encrypting ESXi hosts using a ChaCha8 algorithm. The group also employed BYOVD (Bring Your Own Vulnerable Driver) tactics, loading signed malicious drivers like POORTRY to terminate security processes².

Defensive Recommendations

Organizations running VMware ESXi should prioritize patching CVE-2024-37085 and restrict SSH access to hypervisors. Cyberint recommends enabling Hypervisor-Protected Code Integrity (HVCI) to block vulnerable driver loading and monitoring for LSASS access attempts¹. Picus Security’s simulations suggest implementing immutable, air-gapped backups and restricting DCSync rights in Active Directory to limit credential theft².

For detection, security teams should look for:

Unusual AdFind queries in network logs
Process creation events related to ChaCha8.exe or mimikatz.exe

SSH connections to ESXi hosts outside maintenance windows

Relevance to Security Professionals

This campaign demonstrates the evolving tactics of ransomware groups targeting virtualization infrastructure. The use of ESXi-specific exploits and rootkits like bedevil requires updated detection rules and hardening measures. Security teams should validate controls against the published TTPs, particularly the ChaCha8 encryption method and BYOVD techniques documented in Picus Security’s simulations².

Network defenders can use the following YARA rule to detect potential bedevil rootkit components:

rule Bedevil_Rootkit {
   strings:
      $s1 = "bedevil_module" nocase
      $s2 = "esxi_hook" nocase
   condition:
      any of them
}

Conclusion

Scattered Spider’s focus on VMware ESXi environments highlights the need for specialized hypervisor security measures. As virtualization becomes more prevalent in enterprise environments, attackers are adapting their tools and techniques accordingly. Organizations should combine prompt patching with strict access controls and behavioral monitoring to detect these attacks in early stages.