Hackers Exploiting VMware ESXi Instances In The Wild Using Zero-day Exploit Toolkit

Hackers are exploiting VMware ESXi instances in the wild with a zero-day exploit toolkit that chains multiple vulnerabilities for VM escapes. Cybersecurity firm Huntress disrupted one such attack, attributing initial access to a compromised SonicWall VPN.

Threat actors gained a foothold via SonicWall VPN, then used a compromised Domain Admin account for lateral movement to backup and primary domain controllers.

On the primary DC, they deployed reconnaissance tools like Advanced Port Scanner and ShareFinder, staged data with WinRAR, and altered Windows firewall rules to block external outbound traffic while allowing internal lateral movement.

Approximately 20 minutes after toolkit deployment, they executed the ESXi exploit, which Huntress stopped before ransomware deployment.

VMware ESXi Instances Exploit Toolkit

The toolkit, dubbed MAESTRO by Huntress, orchestrates disabling VMware VMCI drivers with devcon.exe, loading an unsigned…

Facebook
Twitter
Pinterest
LinkedIn
Digg
Tumblr
Reddit
Buffer
Blogger
Newsvine
HackerNews
Flipboard
Share
LiveJournal
Yammer
Mix
Instapaper
Copy Link
Mastodon

VMware ESXi Instances Exploit Toolkit

Related Posts