Linux version of RansomHub ransomware targets VMware ESXi VMs
The RansomHub ransomware operation is using a Linux encryptor designed specifically to encrypt VMware ESXi environments in corporate attacks. [...]
VMware provides virtualization and cloud infrastructure software; flaws or misconfigurations can expose hosts, workloads, credentials, and management systems.
Search across headline titles and summaries.
Background for this topic.
VMware is a virtualization platform that runs multiple virtual machines on shared physical servers. Its ESXi hypervisor provides the underlying isolation, while vCenter Server centrally manages hosts, virtual machines, networks, and storage. Because these components operate beneath or across many workloads, compromise of a host or management account can expose multiple systems; virtual-machine isolation reduces risk but is not an absolute security boundary.
Security teams should treat ESXi hosts and management services as privileged infrastructure: restrict management interfaces, separate administrative networks, enforce strong authentication and role-based access, monitor administrative actions, and promptly assess security advisories and patches. Vulnerabilities in the hypervisor, management plane, or virtual networking and storage layers can enable unauthorized access, guest-to-host escape, or service disruption, depending on the flaw and configuration. Incident investigations should also account for host and vCenter logs, snapshots, templates, and backups, which can contain sensitive data or retained credentials.
The RansomHub ransomware operation is using a Linux encryptor designed specifically to encrypt VMware ESXi environments in corporate attacks. [...]
A suspected Chinese threat actor tracked as UNC3886 uses publicly available open-source rootkits named 'Reptile' and 'Medusa' to remain hidden on VMware ESXi virtual machines, allowing them to conduct credential theft, command execution, and lateral movement. [...]
UNC3886 Targeted Edge Devices for Persistence, Mandiant SaysA suspected Chinese hacking group used open-source rootkits to ensure persistence on compromised edge devices such as VMware ESXi servers for espionage campaigns, Google Mandiant said. The hacking group, which Mandiant tracks as UNC3886, is likely a Chinese threat group hacking for Beijing.
The China-nexus cyber espionage actor linked to the zero-day exploitation of security flaws in Fortinet, Ivanti, and VMware devices has been observed utilizing multiple persistence mechanisms in order to maintain unfettered access to compromised environments
A trio of bugs could allow hackers to escalate privileges and remotely execute code on virtual machines deployed across cloud environments.
VMware has issued a security advisory addressing critical vulnerabilities in vCenter Server, including remote code execution and local privilege escalation flaws. [...]
VMware has disclosed critical vulnerabilities impacting its VMware vSphere and VMware Cloud Foundation products, with patches available for customers
VMware has released updates to address critical flaws impacting Cloud Foundation, vCenter Server, and vSphere ESXi that could be exploited to achieve privilege escalation and remote code execution
Specially crafted network packet could allow remote code execution and access to VM fleets VMware by Broadcom has revealed a pair of critical-rated flaws in vCenter Server – the tool used to manage virtual machines and hosts in its flagship Cloud Foundation and vSphere suites.…