Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

VMware

New Linux Variant of Play Ransomware Targeting VMware ESXi Systems

In a recent development, cybersecurity researchers have identified a new Linux variant of the notorious Play ransomware, also known as Balloonfly and PlayCrypt. This variant specifically targets VMware ESXi environments, signaling a strategic expansion by the threat actors behind it. Trend Micro's report published on Friday highlights the potential for a broader victim pool and more effective ransom negotiations as a result of this evolution.

CVE-2024-37079 & CVE-2024-37080: Critical Heap-overflow Remote Code Execution Vulnerabilities in VMware vCenter Server and Cloud Foundation

On June 17, 2024, VMware disclosed two critical vulnerabilities (CVE-2024-37079 & CVE-2024-37080) affecting vCenter Server and Cloud Foundation. These vulnerabilities stem from a heap-overflow issue in the implementation of the DCERPC protocol which can be exploited by remote threat actors. By sending specially crafted network packets, threat actors could exploit CVE-2024-37079 and CVE-2024-37080 to achieve Remote Code Execution (RCE) on both vCenter Server and Cloud Foundation systems.

VMware ESXi Systems with Admin Rights Targeted by New Mallox Ransomware Variant

Novel Attack Vector Uses Custom Shell for Payload Delivery and Execution A fresh variant of the Mallox ransomware has emerged, specifically targeting VMware ESXi environments with administrative privileges. This advanced attack method, discovered by researchers at Trend Micro, demonstrates the evolving sophistication of ransomware tactics. Mallox Ransomware: An Overview Mallox, also known as Fargo and Tohnichi, first emerged in June 2021.

CrowdStrike Falcon Next-Gen SIEM Unveils Advanced Detection of Ransomware Targeting VMware ESXi Environments

CrowdStrike Falcon Next-Gen SIEM, the definitive AI-native platform for detecting, investigating and hunting down threats, enables advanced detection of ransomware targeting VMware ESXi environments. CrowdStrike has observed numerous eCrime actors exploiting ESXi infrastructure to encrypt virtual machine volumes from the hypervisor to deploy ransomware in organizations. Access to ESXi infrastructure typically takes place as part of lateral movement.

How to navigate changes to VMware licensing.

Humans don’t like change. Whether it’s saying goodbye to your favorite pair of jeans, moving to a new house, or trying a new kind of coffee, we often resist change. But sometimes change is forced on us. For example: Over the past month or so, Broadcom rolled out tremendous changes to VMware licensing. This is why many of our customers and partners are wondering what the changes will mean to them.

VMware ESXi Servers: A Major Attack Vector for Ransomware

In our new threat briefing report, Forescout’s Vedere Labs provides details on the recent ransomware campaign targeting VMware ESXi virtualization servers, or hypervisors, and analyzes two payloads used in these attacks: variants of the Royal and Clop ransomware. We also present the tactics, techniques and procedures (TTPs) used by attackers in this campaign, discuss mitigation recommendations and list indicators of compromise (IOCs) that can be used for detection or threat hunting.

Multiple Critical Vulnerabilities in VMware vRealize Log Insight

On Tuesday, January 24th, 2023, VMware disclosed two critical vulnerabilities in VMware vRealize Log Insight that could result in remote code execution (RCE). Although different vulnerability types, both vulnerabilities could allow an unauthenticated threat actor to inject files into the operating system of the vulnerable product which could result in RCE. Both vulnerabilities were responsibly disclosed to VMware and have not been actively exploited in campaigns.

Critical Remote Code Execution Vulnerability in VMware Cloud Foundation NSX-V: CVE-2021-39144

On Tuesday, October 25th 2022, VMware disclosed a critical remote code execution vulnerability (CVE-2021-39144, CVSS 9.8) in VMware Cloud Foundation NSX-V versions 3.x and older. A threat actor could perform remote code execution in the context of ‘root’ on the appliance due to an unauthenticated endpoint that leverages XStream for input serialization.

Lookout Powers VMware Workspace ONE Mobile Threat Defense (MTD)

Lookout and VMware recently announced the debut of Workspace ONE Mobile Threat Defense (MTD), a new mobile security solution incorporating Lookout mobile protection technologies. Through this partnership with VMware, Lookout Mobile Endpoint Security is built in and can be activated seamlessly within Workspace ONE. This new solution is an extension of past integrations of Lookout with the Workspace ONE Trust Network.