home.social

#vmci — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #vmci, aggregated by home.social.

  1. hasamba @[email protected] ·

    🎯 Threat Intelligence
    ===================

    Executive summary: Huntress observed a targeted intrusion in December 2025 that culminated in deployment of an ESXi VM-escape exploit toolkit. Initial access is assessed with high confidence to have occurred via a compromised SonicWall VPN. The toolkit contains Simplified Chinese development paths and appears to support a wide range of ESXi builds.

    Technical details:
    • Toolkit coverage: supports 155 ESXi builds spanning VMware ESXi versions 5.1 through 8.0.
    • Evidence of development artifacts: folder named "全版本逃逸--交付" indicating Chinese-language development paths.
    • Observed techniques: disabling VMCI devices/drivers via devcon entries, loading unsigned kernel driver via Kernel Driver Utility (KDU), staging data with WinRAR, lateral movement using a compromised Domain Admin account and RDP, reconnaissance with Advanced Port Scanner and SoftPerfect Network Scanner, and share enumeration with ShareFinder.
    • Notable artifacts: attempted DA password change via Impacket that was blocked by managed Microsoft Defender for Endpoint.

    Attack Chain Analysis:
    • Initial Access: probable SonicWall VPN compromise (valid account use).
    • Lateral Movement: use of compromised Domain Admin credentials and RDP to pivot to backup and primary domain controllers (T1078, T1021.001).
    • Execution/Privilege Actions: disabling VMCI devices and loading an unsigned exploit driver using KDU to achieve VM escape.
    • Staging/Exfiltration: archiving data with WinRAR for exfiltration (archive via compression observed).

    Detection guidance:
    • Monitor ESXi hosts directly for unexpected processes and open files; Huntress flagged use of lsof -a on hosts as an investigative step.
    • Inspect for loading of known vulnerable or unsigned drivers and for devcon-driven device state changes on Windows hosts.
    • Note that VSOCK traffic between VMs and hypervisor is typically invisible to network perimeter controls; host-level visibility is required.

    Impact and limitations:
    • Impact: a successful VM escape against ESXi can compromise all workloads on a host and enable large-scale data theft or ransomware.
    • Limitations: the toolkit targets specific ESXi builds; end-of-life versions may have no available fixes.

    References and indicators:
    • Observed tooling: Advanced_Port_Scanner_2.5.3869.exe, netscan.exe (SoftPerfect), ShareFinder, devcon, kdu, WinRAR.

    🔹 vmware #esxi #kdu #vmci #huntress

    🔗 Source: huntress.com/blog/esxi-vm-esca

    #huntress #vmci #kdu #esxi