All news with #vmware tag

Chinese Threat Actors Backdoor VMware vSphere Servers

🔒 Chinese state-sponsored actors are implanting a Go-based backdoor called BRICKSTORM on VMware vCenter and ESXi servers to maintain long-term persistence in targeted networks. CISA, NSA and the Canadian Cyber Centre analyzed multiple samples and found the malware often remained undetected for extended periods, enabling lateral movement, credential theft and exfiltration via VSOCK and SOCKS5 proxy functionality. The joint advisory includes IOCs, YARA and Sigma rules and recommends patching, hardening vSphere, restricting service account privileges, segmenting networks and blocking unauthorized DoH.

China-Linked Warp Panda Espionage Targets North America

🛡️ CrowdStrike has attributed a sophisticated cyber‑espionage campaign to a China-linked group dubbed Warp Panda, which has targeted North American legal, technology and manufacturing firms to support PRC intelligence priorities. The actor employed BRICKSTORM implants and Golang-based tools to persist on VMware vSphere infrastructures, including vCenter and ESXi hosts. CISA’s advisory corroborates long-term access and vCenter exploitation.

CISA: PRC-linked BRICKSTORM Backdoor Targets vSphere

🔒 CISA on Thursday released details of a Golang backdoor named BRICKSTORM used by PRC-linked actors to maintain long-term stealthy access to VMware vSphere and Windows systems. The implant provides interactive shell access, file management, SOCKS proxying, and multiple C2 channels including HTTPS, WebSockets, nested TLS, and DNS-over-HTTPS to conceal communications and blend with normal traffic. CISA and private-sector researchers tied deployments to clusters tracked as UNC5221 and to CrowdStrike’s Warp Panda, noting self-reinstating persistence, VSOCK support for inter-VM operations, and use in attacks against government, IT, legal, and technology targets.

CISA Alerts on BrickStorm Backdoors in VMware vSphere

🔒 CISA warns that Chinese threat actors have used Brickstorm malware to backdoor VMware vSphere servers, creating hidden rogue virtual machines and exfiltrating cloned VM snapshots to harvest credentials. A joint analysis with the NSA and Canada's Cyber Security Centre examined eight samples and documents layered evasion including nested TLS, WebSockets, SOCKS proxying and DNS-over-HTTPS. CISA provides YARA and Sigma rules, advises blocking unauthorized DoH providers, inventorying edge devices, segmenting DMZ-to-internal traffic, and reporting detections as required.

BRICKSTORM Backdoor Targets VMware vSphere and Windows

🛡️ CISA, NSA, and the Canadian Centre for Cyber Security report that PRC state-sponsored actors deployed the BRICKSTORM backdoor to gain long-term persistence on VMware vSphere (vCenter/ESXi) and Windows hosts. The analysis of eight samples includes YARA and Sigma detection content plus scanning guidance for vCenter filesystems and SIEMs. Organizations should apply the provided IOCs and detection signatures, hunt for modified init scripts, DoH resolver requests, and hidden API endpoints, and report any findings immediately.

PRC State-Sponsored Actors Use BRICKSTORM Malware Campaigns

🔒 CISA warns that PRC state-sponsored actors are deploying the BRICKSTORM backdoor to maintain stealthy, long-term access on VMware vSphere and Windows hosts. The malware leverages nested TLS/WebSockets, DNS-over-HTTPS, and a SOCKS proxy for encrypted C2, lateral movement, and tunneling, and implements a self‑healing persistence mechanism. CISA urges defenders to hunt with provided YARA/Sigma rules, block unauthorized DoH, inventory edge devices, and enforce DMZ segmentation.

AWS Transform adds agentic AI for VMware migrations

🚀 AWS Transform adds agentic AI capabilities to automate enterprise-scale VMware migrations, collaborating with migration teams to plan and move hundreds of applications and thousands of servers. The agent discovers on-prem environments using built-in discovery, third-party inventories, and unstructured data, maps dependencies, and generates prioritized migration waves. It also produces network designs, IP management options, multi-account deployment configurations, and supports diverse sources and targets while providing iterative progress updates and approval-ready reports.

AWS Transform auto-generates Landing Zone network YAML

☁️ AWS Transform for VMware can now automatically convert VMware network environments into Landing Zone Accelerator (LZA)-compatible YAML network configurations that can be directly imported and deployed via LZA. Building on existing IaC output formats such as CloudFormation, AWS CDK, and Terraform, this capability reduces manual re-creation of network settings, lowers the risk of configuration errors, and accelerates migration timelines while aligning deployments with enterprise security and compliance standards.

AWS Transform Generates LZA Network Configurations

🔁 AWS now enables AWS Transform for VMware to automatically generate network configuration YAML files that are directly compatible with the Landing Zone Accelerator on AWS (LZA). Building on Transform’s existing infrastructure-as-code outputs for AWS CloudFormation, AWS CDK, and Terraform, the capability converts VMware network environments into LZA-ready YAML that can be imported into LZA’s deployment pipeline. The feature is available in all AWS Transform target Regions and is intended to reduce manual effort and deployment time while improving consistency across multi-account environments.

Amazon EVS Expanded to Mumbai, Sydney, Canada, Paris

🚀 Amazon has expanded Amazon Elastic VMware Service (EVS) to all availability zones in Asia Pacific (Mumbai), Asia Pacific (Sydney), Canada (Central), and Europe (Paris). EVS runs VMware Cloud Foundation on EC2 bare‑metal instances powered by AWS Nitro, and can be deployed via a step‑by‑step workflow or the AWS CLI in hours. The expansion delivers lower latency, improved data‑residency options, and additional resiliency and high‑availability choices for VMware workloads.

CISA Flags VMware Tools Zero-Day in KEV Catalog; Exploited

🛡️ CISA has added the high-severity flaw CVE-2025-41244, impacting Broadcom VMware Tools and VMware Aria Operations, to its Known Exploited Vulnerabilities catalog after reports of active exploitation. The bug (CVSS 7.8) allows a malicious local, non-administrative user with VM access and SDMP enabled to escalate privileges to root on the same VM. Broadcom-owned VMware released a patch last month, but NVISO Labs says the zero-day was exploited in the wild since mid-October 2024 and attributes activity to a China-linked actor tracked as UNC5174. Federal civilian agencies must implement mitigations by November 20, 2025.

CISA orders federal patch for VMware Tools privilege bug

⚠️ CISA has ordered Federal Civilian Executive Branch agencies to remediate a high-severity vulnerability in Broadcom's VMware Aria Operations and VMware Tools (CVE-2025-41244), patched by Broadcom in October 2024. The flaw enables a local, non-administrative user on a VM to escalate privileges to root when Aria Operations’ SDMP is enabled or when VMware Tools runs in credential-less mode. Agencies must patch within three weeks under BOD 22-01; CISA also urges all organizations to prioritize mitigations or discontinue affected products if no fix is available.

CISA Adds Two CVEs to Known Exploited Vulnerabilities

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-24893 (XWiki Platform eval injection) and CVE-2025-41244 (Broadcom VMware Aria Operations and VMware Tools privilege-defined unsafe actions). Evidence indicates active exploitation and substantial risk to the federal enterprise. Under BOD 22-01, affected FCEB agencies must remediate by required due dates. CISA urges all organizations to prioritize timely remediation as part of routine vulnerability management.

LockBit Resurges with New Variant and Fresh Victims

🛡️ LockBit has reemerged after a disruption in early 2024 and is actively extorting new victims. Check Point Research identified roughly a dozen organizations hit in September 2025, and about half of those incidents involved the new LockBit 5.0 variant, labeled ChuongDong. The group is deploying attacks across Windows, Linux and ESXi environments in Europe, the Americas and Asia. Check Point Harmony Endpoint and Quantum customers are protected via Threat Emulation, which can block these attacks before encryption occurs.

VMware Certification and VMUG Advantage: Career Power Move

🔑 VMware certification is presented as a repeatable framework for mastering complex infrastructure and advancing careers, and VMUG Advantage is offered as an accelerator for that journey. The piece, authored by VMUG leadership, highlights survey data from Pearson VUE showing certification-driven promotions and confidence gains. It outlines tangible member benefits—discounts on training and exams, personal-use licenses, on-demand labs, and global community mentorship—and positions certification as a strategic investment for individuals and teams seeking secure, scalable IT practices.

How VMware Certification Helped Advance a Tech Career

🎓Certification gave Matt Heldstab a clear framework and the confidence to tackle complex virtualization and multi-cloud challenges. Preparing for VCP certifications and VMware Cloud Foundation exams taught him architecture best practices, troubleshooting patterns, and how to communicate effectively with leadership. Hands-on lab work and community engagement—especially through VMUG—accelerated his development and enabled him to lead projects and speak publicly. He frames certification as a mindset shift from reactive operator to strategic architect.

Threat actors abusing Velociraptor in ransomware attacks

⚠️Researchers have observed threat actors leveraging the open-source DFIR tool Velociraptor to maintain persistent remote access and deploy ransomware families including LockBit and Babuk. Cisco Talos links the campaigns to a China-based group tracked as Storm-2603 and notes use of an outdated Velociraptor build vulnerable to CVE-2025-6264. Attackers synchronized local admin accounts to Entra ID, accessed vSphere consoles, disabled Defender via AD GPOs, and used fileless PowerShell encryptors with per-run AES keys and staged exfiltration prior to encryption.

Broadcom Patches VMware NSX and vCenter Vulnerabilities

🔒 Broadcom has released security updates for VMware vCenter and NSX addressing multiple high-severity vulnerabilities, including CVE-2025-41250, CVE-2025-41251 and CVE-2025-41252. The most serious, an SMTP header injection in vCenter (CVSSv3 8.5), allows non-administrative users to tamper with scheduled email notifications and has no available workaround. Two NSX flaws permit unauthenticated username enumeration, which can facilitate brute-force or credential-stuffing attacks. Administrators are urged to apply the fixed versions immediately.

VMware flaws allow username enumeration, patches released

🛡️ Three important vulnerabilities were disclosed in VMware products, including two in NSX that allow unauthenticated username enumeration and one in vCenter that permits SMTP header manipulation by authenticated non‑admin users with scheduled task privileges. The U.S. National Security Agency discovered two of the issues and all three are rated Important. VMware has released patches to address the flaws. Organizations are urged to apply updates immediately, avoid exposing vCenter to the internet, enforce multi‑factor authentication, change default credentials, and deploy layered protections such as web application firewalls and brute‑force detection controls.

Chinese Hackers Exploited VMware Zero-Day Since Oct 2024

🔒 Broadcom issued patches for a high-severity privilege escalation vulnerability in VMware Aria Operations and VMware Tools that has been actively exploited since October 2024. European firm NVISO linked the in-the-wild abuse to the China-aligned group UNC5174 and published a proof-of-concept for CVE-2025-41244. The flaw allows an unprivileged local attacker to stage a malicious binary (commonly in /tmp/httpd), have it discovered by VMware service discovery, and escalate to root-level execution on vulnerable VMs.