How vSphere Became a Target for Adversaries

Episode Overview

Episode Title: How vSphere Became a Target for Adversaries
Podcast: The Defender’s Advantage Podcast (Mandiant)
Date: September 15, 2025
Host: Luke McNamara (Mandiant / Google Threat Intelligence Group)
Guest: Stuart Carrera (Senior Consultant, Manneck Consulting)

Main Theme:
This episode explores why and how VMware vSphere environments, particularly ESXi hypervisors, have become high-value targets for ransomware operators and espionage-focused adversaries. The conversation covers how VMware’s technology underpins critical infrastructure, the attack surface it presents, notable adversary tradecraft, and practical defensive hardening recommendations.

Key Discussion Points and Insights

1. The Pervasiveness and Critical Role of VMware vSphere

Background on VMware’s role
- Most enterprise data centers rely on VMware vSphere for virtualization.
- It enables organizations to run many virtual machines (VMs) efficiently, replacing racks of physical servers.
- Quote:
  "To add a VM for like a new business part would just, you know, it was, it was very easy to provision it and that kind of exploded." — Stuart Carrera [01:56]
VMware as 'Tier Zero'
- vSphere manages core services: AD, SIEM, backup, privilege access management, etc.
- Disruption or compromise impacts the entire on-prem infrastructure.

2. Why VMware is Attractive to Threat Actors

Lack of Detection and EDR Coverage
- Unlike Windows endpoints, VMware’s control plane (VirtualCenter) and ESXi hosts cannot run traditional endpoint detection and response (EDR) solutions or antivirus, creating a “blind spot.”
  "Both ESXI and the virtual center are kind of a blind spot for a lot of organizations." — Stuart [06:26]
Criticality and Centralization
- Compromising vSphere often gives an attacker rapid control over numerous business-critical systems.
- Portability of VMs (as files) enables fast ransomware deployment and data theft.
- Speed: These attacks unfold in hours rather than days or weeks, a notable departure from historic ransomware dwell times. "Typically speaking, we often see kind of dwell times in typical like Windows type ransomware environments of days, weeks, sometimes even months. What we're specifically seeing with threat actors targeting VMware environments... once they're in, the ability to deploy ransomware is, you know, it's quite easy." — Stuart [10:51]

3. Attack Vectors and Common Adversary Tradecraft

Common Entry Points
- External exploitation (firewall vulnerabilities, spearphishing, stolen credentials).
- Identity compromise, especially accounts linked to VMware admin groups in Active Directory. "They will come in through perhaps a firewall vulnerability. They will then look to use that account that... has been compromised to then search for a VMware listed account..." — Stuart [16:34]
Abuse of Identity and Privilege
- Attackers often don’t need “full” privileges; even basic admin roles can be abused for disruptive actions. "You don't even need a privileged account... a threat actor could basically use that privilege to perform data exfiltration." — Stuart [14:17]
Backdoors and Persistence
- Recent trend: adversaries installing persistent backdoors on Virtual Center itself.
- Targeting “tier zero” VMs (e.g., Active Directory) for data extraction (e.g., copying VM disks and extracting credential databases). "We're seeing threat actors actually pivoting slightly and installing kind of backdoors into virtual center appliances and then also... looking for perhaps virtual machines that are kind of tier zero." — Stuart [14:17]
Ransomware Deployment Techniques
- Enable SSH on ESXi, transfer and deploy scripts to encrypt VM files after shutting down VMs.
- "They would look to terminate the virtual machines before applying the ransomware... the first instance that an organization will see... something wrong because they would see en masse a large amount of virtual machines being rebooted." — Stuart [16:34]

4. Stealth and Dwell Time

Stealth over Traditional Methods
- Limited logging and lack of EDR means attackers can operate undetected for longer.
- Detection usually happens only after major disruption (e.g., mass VM shutdowns).
- Compare to GPO weaponization or wiper malware: VMware-focused attacks are even quieter. "So they're undetected and they have complete control over the underlying infrastructure... the ransomware, it can be executed... it's a matter of hours. And this is really what cripples a lot of organizations..." — Stuart [19:51]
Impact on Recovery
- Most backup appliances are also VMs—if ransomware hits, recovery is extremely difficult as data and infrastructure are encrypted together.

5. Differences: Espionage vs Extortion Tradecraft

Ransomware/Extortion
- Quick, overt, focused on maximizing disruption for payment leverage.
Espionage/APT Operations
- Example: Chinese APTs sometimes deploy stealthy persistent VM-based malware (e.g., Brickstorm), or create “ghost VMs”—VMs invisible to normal management that act as long-term implants. "They would deploy malware on the Virtual center server... they're looking for kind of persistence over a long period of time." — Stuart [22:44]
Future Evolution
- Prediction: More sophisticated persistence tradecraft, VM-to-hypervisor breakout, exploitation of zero-days, and custom malware.

6. Hardening and Defense Recommendations

Strategic Steps

Recognize VMware as Tier Zero
- Treat it as critical infrastructure in risk models.
Audit and Asset Inventory
- Map VMware deployments, roles, and administrative connections (especially to AD).
Minimize Attack Surface
- Remove unnecessary Active Directory bindings (e.g., ESXi doesn't need to join AD).
- Centralize through VirtualCenter; restrict direct host management.
Modern Authentication
- Use phishing-resistant MFA (e.g., FIDO2, Azure Entra) for all privileged access.
- Conditional access policies for context-aware controls.
Logging and Detection Engineering
- Develop detection playbooks for anomalous activity (e.g., new logins, SSH enablement, suspicious snapshots)—correlate identity and platform logs.
- "You really want to be dealing with alerts that perhaps there's been kind of an anomalous logon at a specific time or there's been an enablement of SSH on a host..." — Stuart [32:40]
Technical Controls for Hosts
- Apply lockdown mode on all ESXi hosts, prevent SSH access, enable “exec installed only” flag.
- Use TPM and secure boot for host integrity.
Version Management and Upgrades
- Many are still on vSphere 7 (end-of-life upcoming)—upgrade to vSphere 8 is both a security uplift and an opportunity for a holistic posture review. "A lot of organizations will be on Vsphere 7 and it's actually becoming end of life... When you upgrade... use it as kind of an inflection point..." — Stuart [31:32]
Encryption
- Use VM-level encryption where possible to prevent offline copying and theft of VMDK files. "You can use VMware encryption. It's impossible to copy the VMDK from one virtual machine to another if the VM is encrypted." — Stuart [34:01]
Use security baselines and benchmarks
- Reference CIS Benchmarks and VMware Technical Security Guides.

Approach

Phased “Crawl, Walk, Run” Strategy
- Start with risk assessment, implement basic controls, integrate logging, then evolve toward advanced threat modeling and bespoke detections.

Notable Quotes & Memorable Moments

On the ease of attack:
"These TAs, they can get in, they can do this and they can move on to the next one. It’s easy work. If they can compromise a VMware infrastructure, definitely." — Stuart [21:50]
Speed & impact:
"It's a matter of hours. And this is really what cripples a lot of organizations because typically they'd have AD as VMs. Their privileged access workstations are VMs. The SIM is VMs. You know, everything's a virtual machine. So essentially what happens is it's complete infrastructure meltdown." — Stuart [19:51]
Visibility challenge:
"From our experience... there doesn't seem to be that level of detection engineering or logging. So it's definitely a blind spot." — Stuart [06:26]

Timeline of Key Segments

| Timestamp | Topic/Segment | |-----------|-----------------------------------------------------------------------------------| | 00:02 | Threat actors’ attack flow: targeting VMware creds, exploiting weaknesses | | 01:56 | Stuart’s background and the critical role of virtualization in enterprise IT | | 03:50 | Discussion on VMware workload advantages and why orgs use it | | 06:26 | Why VMware is a “blind spot” for security teams and a desirable target | | 10:51 | “Perfect storm” – why targeting increased: ease, AD integration, attack velocity | | 14:17 | Abuse of non-privileged accounts & new tactics: data exfiltration via snapshots | | 16:34 | Attack step-by-step: initial access > privilege escalation > VirtualCenter compromise > ransomware deployment | | 19:51 | Stealth vs. Windows ransomware; catastrophic impact and recovery challenges | | 22:44 | Comparison: espionage TTPs (ghost VMs, backdoors) vs. fast extortion attacks | | 25:45 | Strategic recommendations: risk-based, asset discovery, modern auth, minimizing attack surface | | 31:32 | Technical controls: version upgrades, host lockdown, VM encryption | | 33:39 | Phased, crawl-walk-run approach to improving security posture | | 36:37 | Future outlook and predictions on the evolving threat landscape |

Closing Thoughts

Expect escalation:
"I would say that this is just a start, if I'm being honest... if it's effective and it works, they will use it. And I think it's just... the key thing for me is [to] treat the whole environment as tier zero. Understand the risk and... implement those controls because unfortunately, you know, I can only see this getting a lot worse." — Stuart [36:37]
Opportunity for improvement:
- Migration to vSphere 8 and lessons from recent incidents offer a unique chance for organizations to reassess, modernize, and harden their virtual infrastructure.

Further Resources

Reference: Mandiant's blogs (linked in show notes), CIS Benchmarks, VMware Security Hardening Guides.
Strong encouragement to begin with assessment, leverage phased controls, and treat VMware vSphere as critical-tier infrastructure.

Summary prepared for listeners seeking in-depth, actionable understanding of vSphere threats, attack trends, and practical defensive guidance—distilling insights straight from practitioners at the incident response and infrastructure security frontline.

Episode Overview

Key Discussion Points and Insights

1. The Pervasiveness and Critical Role of VMware vSphere

Background on VMware’s role
- Most enterprise data centers rely on VMware vSphere for virtualization.
- It enables organizations to run many virtual machines (VMs) efficiently, replacing racks of physical servers.
- Quote:
  "To add a VM for like a new business part would just, you know, it was, it was very easy to provision it and that kind of exploded." — Stuart Carrera [01:56]
VMware as 'Tier Zero'
- vSphere manages core services: AD, SIEM, backup, privilege access management, etc.
- Disruption or compromise impacts the entire on-prem infrastructure.

2. Why VMware is Attractive to Threat Actors

Lack of Detection and EDR Coverage
- Unlike Windows endpoints, VMware’s control plane (VirtualCenter) and ESXi hosts cannot run traditional endpoint detection and response (EDR) solutions or antivirus, creating a “blind spot.”
  "Both ESXI and the virtual center are kind of a blind spot for a lot of organizations." — Stuart [06:26]
Criticality and Centralization
- Compromising vSphere often gives an attacker rapid control over numerous business-critical systems.
- Portability of VMs (as files) enables fast ransomware deployment and data theft.
- Speed: These attacks unfold in hours rather than days or weeks, a notable departure from historic ransomware dwell times. "Typically speaking, we often see kind of dwell times in typical like Windows type ransomware environments of days, weeks, sometimes even months. What we're specifically seeing with threat actors targeting VMware environments... once they're in, the ability to deploy ransomware is, you know, it's quite easy." — Stuart [10:51]

3. Attack Vectors and Common Adversary Tradecraft

Common Entry Points
- External exploitation (firewall vulnerabilities, spearphishing, stolen credentials).
- Identity compromise, especially accounts linked to VMware admin groups in Active Directory. "They will come in through perhaps a firewall vulnerability. They will then look to use that account that... has been compromised to then search for a VMware listed account..." — Stuart [16:34]
Abuse of Identity and Privilege
- Attackers often don’t need “full” privileges; even basic admin roles can be abused for disruptive actions. "You don't even need a privileged account... a threat actor could basically use that privilege to perform data exfiltration." — Stuart [14:17]
Backdoors and Persistence
- Recent trend: adversaries installing persistent backdoors on Virtual Center itself.
- Targeting “tier zero” VMs (e.g., Active Directory) for data extraction (e.g., copying VM disks and extracting credential databases). "We're seeing threat actors actually pivoting slightly and installing kind of backdoors into virtual center appliances and then also... looking for perhaps virtual machines that are kind of tier zero." — Stuart [14:17]
Ransomware Deployment Techniques
- Enable SSH on ESXi, transfer and deploy scripts to encrypt VM files after shutting down VMs.
- "They would look to terminate the virtual machines before applying the ransomware... the first instance that an organization will see... something wrong because they would see en masse a large amount of virtual machines being rebooted." — Stuart [16:34]

4. Stealth and Dwell Time

Stealth over Traditional Methods
- Limited logging and lack of EDR means attackers can operate undetected for longer.
- Detection usually happens only after major disruption (e.g., mass VM shutdowns).
- Compare to GPO weaponization or wiper malware: VMware-focused attacks are even quieter. "So they're undetected and they have complete control over the underlying infrastructure... the ransomware, it can be executed... it's a matter of hours. And this is really what cripples a lot of organizations..." — Stuart [19:51]
Impact on Recovery
- Most backup appliances are also VMs—if ransomware hits, recovery is extremely difficult as data and infrastructure are encrypted together.

5. Differences: Espionage vs Extortion Tradecraft

Ransomware/Extortion
- Quick, overt, focused on maximizing disruption for payment leverage.
Espionage/APT Operations
- Example: Chinese APTs sometimes deploy stealthy persistent VM-based malware (e.g., Brickstorm), or create “ghost VMs”—VMs invisible to normal management that act as long-term implants. "They would deploy malware on the Virtual center server... they're looking for kind of persistence over a long period of time." — Stuart [22:44]
Future Evolution
- Prediction: More sophisticated persistence tradecraft, VM-to-hypervisor breakout, exploitation of zero-days, and custom malware.

6. Hardening and Defense Recommendations

Strategic Steps

Recognize VMware as Tier Zero
- Treat it as critical infrastructure in risk models.
Audit and Asset Inventory
- Map VMware deployments, roles, and administrative connections (especially to AD).
Minimize Attack Surface
- Remove unnecessary Active Directory bindings (e.g., ESXi doesn't need to join AD).
- Centralize through VirtualCenter; restrict direct host management.
Modern Authentication
- Use phishing-resistant MFA (e.g., FIDO2, Azure Entra) for all privileged access.
- Conditional access policies for context-aware controls.
Logging and Detection Engineering
- Develop detection playbooks for anomalous activity (e.g., new logins, SSH enablement, suspicious snapshots)—correlate identity and platform logs.
- "You really want to be dealing with alerts that perhaps there's been kind of an anomalous logon at a specific time or there's been an enablement of SSH on a host..." — Stuart [32:40]
Technical Controls for Hosts
- Apply lockdown mode on all ESXi hosts, prevent SSH access, enable “exec installed only” flag.
- Use TPM and secure boot for host integrity.
Version Management and Upgrades
- Many are still on vSphere 7 (end-of-life upcoming)—upgrade to vSphere 8 is both a security uplift and an opportunity for a holistic posture review. "A lot of organizations will be on Vsphere 7 and it's actually becoming end of life... When you upgrade... use it as kind of an inflection point..." — Stuart [31:32]
Encryption
- Use VM-level encryption where possible to prevent offline copying and theft of VMDK files. "You can use VMware encryption. It's impossible to copy the VMDK from one virtual machine to another if the VM is encrypted." — Stuart [34:01]
Use security baselines and benchmarks
- Reference CIS Benchmarks and VMware Technical Security Guides.

Approach

Phased “Crawl, Walk, Run” Strategy
- Start with risk assessment, implement basic controls, integrate logging, then evolve toward advanced threat modeling and bespoke detections.

Notable Quotes & Memorable Moments

On the ease of attack:
"These TAs, they can get in, they can do this and they can move on to the next one. It’s easy work. If they can compromise a VMware infrastructure, definitely." — Stuart [21:50]
Speed & impact:
"It's a matter of hours. And this is really what cripples a lot of organizations because typically they'd have AD as VMs. Their privileged access workstations are VMs. The SIM is VMs. You know, everything's a virtual machine. So essentially what happens is it's complete infrastructure meltdown." — Stuart [19:51]
Visibility challenge:
"From our experience... there doesn't seem to be that level of detection engineering or logging. So it's definitely a blind spot." — Stuart [06:26]

Timeline of Key Segments

Closing Thoughts

Expect escalation:
"I would say that this is just a start, if I'm being honest... if it's effective and it works, they will use it. And I think it's just... the key thing for me is [to] treat the whole environment as tier zero. Understand the risk and... implement those controls because unfortunately, you know, I can only see this getting a lot worse." — Stuart [36:37]
Opportunity for improvement:
- Migration to vSphere 8 and lessons from recent incidents offer a unique chance for organizations to reassess, modernize, and harden their virtual infrastructure.

Further Resources

Reference: Mandiant's blogs (linked in show notes), CIS Benchmarks, VMware Security Hardening Guides.
Strong encouragement to begin with assessment, leverage phased controls, and treat VMware vSphere as critical-tier infrastructure.

wavePod

Get Free Podcast Summaries in Your Inbox

Pick Your Shows

Subscribe Free

Get Instant Summaries

Summary

Episode Overview

Key Discussion Points and Insights

1. The Pervasiveness and Critical Role of VMware vSphere

2. Why VMware is Attractive to Threat Actors

3. Attack Vectors and Common Adversary Tradecraft

4. Stealth and Dwell Time

5. Differences: Espionage vs Extortion Tradecraft

6. Hardening and Defense Recommendations

Strategic Steps

Approach

Notable Quotes & Memorable Moments

Timeline of Key Segments

Closing Thoughts

Further Resources

Summary

Episode Overview

Key Discussion Points and Insights

1. The Pervasiveness and Critical Role of VMware vSphere

2. Why VMware is Attractive to Threat Actors

3. Attack Vectors and Common Adversary Tradecraft

4. Stealth and Dwell Time

5. Differences: Espionage vs Extortion Tradecraft

6. Hardening and Defense Recommendations

Strategic Steps

Approach

Notable Quotes & Memorable Moments

Timeline of Key Segments

Closing Thoughts

Further Resources