Scattered Spider Malware Attack on Marks & Spencer: VMware ESXi Encryption and AD Compromise

By /

Listen to this Post

Featured Image
BleepingComputer reports that Marks & Spencer suffered a severe cyberattack due to the Scattered Spider malware, which encrypted their VMware ESXi virtual machines. The attackers also exfiltrated the Active Directory NTDS.dit file, granting them domain admin privileges. The breach likely occurred because vCenter was AD-connected, allowing the attackers to move laterally and encrypt critical systems.

🔗 Source: BleepingComputer Report

You Should Know: Critical Security Measures & Commands

  1. Isolate VMware ESXi & vCenter from Internal Networks
    VMware management interfaces should never be exposed to the corporate network. Use:

– Strict Network Segmentation

 Example: Isolate ESXi Management with iptables (Linux) 
sudo iptables -A INPUT -p tcp --dport 443 -s <TRUSTED_IP> -j ACCEPT 
sudo iptables -A INPUT -p tcp --dport 443 -j DROP

– Private Management VLANs

 On ESXi, restrict management network 
esxcli network firewall ruleset set -r httpClient -e false 
esxcli network firewall ruleset set -r vSphereClient -e false

2. Secure Active Directory (NTDS.dit Protection)

The NTDS.dit file contains password hashes—protect it with:

  • Disable Unnecessary Services
    Disable SMBv1 (often exploited) 
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
  • Enable LSA Protection (Prevent credential dumping)
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f

3. Detect & Mitigate Scattered Spider Malware

  • Check for Suspicious Processes (Linux/Windows)
    Linux: Find unexpected binaries 
ps aux | grep -E '(crypt|ransom|spider)'

Windows: Check for unusual services 
Get-WmiObject Win32_Service | Where-Object {$_.Name -like "crypt"}

  • Monitor ESXi Logs for Encryption Attempts
    tail -f /var/log/vmware/esxihost.log | grep -i "encrypt"

4. Backup & Disaster Recovery

  • VMware Snapshots Are Not Backups! Use:
    Export VMs via ovftool (if still accessible) 
ovftool vi://user@vcenter-host/VM-name /backup-folder/
  • Windows Volume Shadow Copy (VSS) Backup
    wbadmin start backup -backupTarget:\backup-server\share -allCritical -quiet

What Undercode Say

This attack highlights critical failures:

  • Lack of network segmentation (ESXi/vCenter exposed).
  • Overprivileged AD accounts (leading to NTDS.dit theft).
  • No Zero Trust adoption (assumed internal networks are safe).

Expected Commands for Defense:

  • Linux:

    Check for open ESXi ports 
nmap -p 443,902 <ESXi_IP>

Monitor AD replication traffic 
tcpdump -i eth0 'port 389 or port 636' -w ldap_traffic.pcap

  • Windows:
    Force Kerberos AES encryption (prevent NTLM relay) 
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "NTLMMinClientSec" -Value 0x20080000

Expected Output:

A hardened infrastructure where:

  • ESXi/vCenter is isolated.
  • AD backups are encrypted & offline.
  • Lateral movement is restricted via micro-segmentation.

Stay vigilant—assume breach, because convenience kills security.

References:

Reported By: Charlescrampton Bleepingcomputer – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: