All news with #vmware tag

LockBit 5.0 Emerges as Most Dangerous Ransomware Variant

🔒 Trend Micro has identified a new LockBit variant, LockBit 5.0, which it calls significantly more dangerous than prior releases and has observed in the wild. The vendor confirmed Windows, Linux, and ESXi binaries featuring faster encryption, removal of infection markers, randomized 16-character extensions and enhanced evasion. The Windows build includes a cleaner affiliate UI with detailed execution options, while the ESXi variant represents a critical escalation by enabling encryption of multiple virtual machines from a single payload. Researchers note substantial code reuse from 4.0, suggesting an evolutionary update rather than a rebrand.

Chinese Group Uses BRICKSTORM Backdoor Against US Firms

⚠️ Google Threat Intelligence Group says a Chinese-aligned cluster has used the BRICKSTORM backdoor in intrusion campaigns since at least March 2025 against US legal and technology firms, SaaS providers and outsourcing companies. Attackers focused on harvesting emails and files from key individuals and establishing long-term footholds. The group, tracked as UNC5221, exploited zero-days, deployed BRICKSTORM on VMware appliances, and used credential theft and persistence mechanisms to evade detection. Google and partners have published detection guidance and a Mandiant scanner script to help identify infections.

Chinese Backdoor Grants Year-Long Access to US Firms

🔐 Chinese state-linked actors deployed a custom Linux/BSD backdoor called BRICKSTORM on network edge appliances to maintain persistent access into U.S. legal, technology, SaaS and outsourcing firms. These implants averaged 393 days of undetected dwell time and were used to pivot to VMware vCenter/ESXi hosts, Windows systems, and Microsoft 365 mailboxes. Mandiant and Google TAG attribute the activity to UNC5221 and have released a scanner and hunting guidance to locate affected appliances.

UNC5221 Deploys BRICKSTORM Backdoor Against US Targets

🛡️ Mandiant and Google’s Threat Intelligence Group report that the China‑nexus cluster UNC5221 has delivered the Go‑based backdoor BRICKSTORM to U.S. legal, SaaS, BPO, and technology organizations, frequently exploiting Ivanti Connect Secure zero‑days. BRICKSTORM uses a WebSocket C2, offers file and command execution, and provides a SOCKS proxy to reach targeted applications. The campaign prioritizes long, stealthy persistence on appliances that lack traditional EDR coverage, enabling lateral movement and access to downstream customer environments.

Brickstorm: Long-term Go-based Backdoor Targets US Orgs

🔒 Google researchers report suspected China-linked operators used a Go-based backdoor named Brickstorm to persistently exfiltrate data from U.S. technology, legal, SaaS and BPO organizations, with an average dwell time of 393 days. Brickstorm operated as a web server, file dropper, SOCKS relay and remote command executor while masquerading traffic as legitimate cloud services and targeting edge appliances that often lack EDR. GTIG attributes the activity to UNC5221, a cluster linked to Ivanti zero-day exploitation and custom tools like Spawnant and Zipline. Mandiant published a scanner with YARA rules but cautioned it may not detect all variants or persistence mechanisms.

BRICKSTORM espionage campaign targeting appliances in US

🔒BRICKSTORM is a highly evasive backdoor campaign tracked by GTIG and Mandiant that targets network appliances and virtualization infrastructure to maintain long-term access to US organizations. The actor, tracked as UNC5221, deploys a Go-based malware with SOCKS proxy functionality and uses techniques — including zero‑day exploitation of edge appliances, credential capture via a BRICKSTEAL servlet filter, and VM cloning — to remain undetected for an average of 393 days. GTIG and Mandiant published YARA rules, a scanner, and a focused hunting checklist to help defenders locate infections and harden management interfaces and vSphere deployments.

Team-wide VMware Certification: Boost Security and Retention

🔐 Team-wide VMware certification acts as a force multiplier for security, operations, and talent retention. Certified teams share a common language around architecture, reduce misconfigurations, and respond to incidents faster. Expertise in vSphere, NSX, vSAN, and cloud foundations teaches not just deployment but secure, scalable configuration. Programs like VMUG Advantage make broad certification practical with labs, exam vouchers, and personal-use licenses.

AWS Transform for VMware Adds IP Range Flexibility

🔁 AWS Transform for VMware now supports VPC CIDR range modifications to prevent IP conflicts during migrations. The service automatically updates all associated resources — including subnets, security groups, routing tables, and target instances — when you change VPC CIDRs. You can preserve source IPs, apply adjusted addresses aligned to new VPC CIDRs, or choose DHCP-based assignment. Agentic AI automation speeds discovery, planning, and migration workflows and the feature is available in additional regions including US East (Ohio), Europe (Stockholm), and Europe (Ireland).