CyberSecurityBoard
Sponsor Register Login

UNC3944 Attacking VMware vSphere and Enabling SSH on ESXi Hosts to Reset 'root' Passwords

UNC3944, a financially driven threat organization associated with “0ktapus,” “Octo Tempest,” and “Scattered Spider,” launched a sophisticated cyber campaign that used social engineering and hypervisor-level attacks to target VMware vSphere environments in the retail, airline, and insurance industries. The attackers then escalate privileges by adding compromised accounts to critical security groups using commands like net.exe group “ESX Admins” ACME-CORP\temp-adm-bkdr /add executed through Windows Remote Management (WinRM). Security teams must implement comprehensive logging from vCenter events, ESXi audit logs, and Active Directory to detect UNC3944’s methodical progression through virtualized environments before ransomware deployment occurs. The threat actors employ a proven “living-off-the-land” (LoTL) methodology that bypasses traditional endpoint detection and response (EDR) solutions by operating directly at the hypervisor level, where security tools have limited visibility. The group then installs “teleport,” a legitimate open-source remote access tool, creating encrypted reverse shells that bypass firewall egress rules. Mandiant reports that threat actors impersonate employees using publicly available personal information from previous data breaches to convince help desk agents to reset Active Directory passwords. Security teams can detect this activity by monitoring for AD Event ID 4728 (member added to security-enabled global group) and correlating wsmprovhost.exe process execution with suspicious group modifications. Once inside, they conduct reconnaissance through SharePoint sites and network drives, specifically hunting for IT documentation revealing privileged accounts like “vSphere Admins” or “ESX Admins” groups. Organizations can defend against this attack vector by implementing vSphere VM encryption for Tier 0 assets, enabling ESXi lockdown mode, and enforcing the execInstalledOnly kernel setting to prevent unsigned binary execution.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 24 Jul 2025 06:25:13 +0000


Cyber News related to UNC3944 Attacking VMware vSphere and Enabling SSH on ESXi Hosts to Reset 'root' Passwords

Investigation of Possible Causes of ESXiArgs Ransomware Attacks Suggests VMware is Not at Fault - Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied allegations that two-year-old security flaws have been used in the current ESXiArgs ransomware attacks. Over the weekend, reports surfaced about cybercriminals ...
3 years ago Hackread.com CVE-2021-21974
UNC3944 Attacking VMware vSphere and Enabling SSH on ESXi Hosts to Reset 'root' Passwords - UNC3944, a financially driven threat organization associated with “0ktapus,” “Octo Tempest,” and “Scattered Spider,” launched a sophisticated cyber campaign that used social engineering and hypervisor-level attacks ...
7 months ago Cybersecuritynews.com Scattered Spider
VMware ESXi 8.0 Update 3e Released for Free, What's New! - This marks a significant policy reversal after Broadcom discontinued the free ESXi offering following its acquisition of VMware, a move that had pushed many users toward alternative virtualization platforms. Broadcom has officially reintroduced the ...
10 months ago Cybersecuritynews.com
New SSH-Snake Malware Abuses SSH Credentials - Threat actors abuse SSH credentials to gain unauthorized access to systems and networks. SSH credential abuse provides a stealthy entry point for threat actors to compromise and control the targeted systems. On January 4th, 2024, the Sysdig Threat ...
2 years ago Cybersecuritynews.com
Linux version of Qilin ransomware focuses on VMware ESXi - A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date. Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi ...
2 years ago Bleepingcomputer.com Qilin
UNC3944 Hackers Evolves from SIM Swap to Ransomware and Data Extortion - Initially focusing on telecommunications-related organizations to facilitate SIM swap operations, the group has transformed into a more sophisticated threat actor deploying ransomware and engaging in data theft extortion. Recent public reporting has ...
10 months ago Cybersecuritynews.com Dragonforce Scattered Spider
Scattered Spider is running a VMware ESXi hacking spree - This allows Scattered Spider to scan the network devices for IT documentation that would provide high-value targets, like the names of domain or VMware vSphere administrators, and security groups that can provide administrative permissions over the ...
7 months ago Bleepingcomputer.com Scattered Spider
No Signs of Unpatched Vulnerabilities Discovered in ESXiArgs Ransomware Attacks - VMware reported on Monday that there is no proof that hackers are using an unknown security flaw, also known as a zero-day, in its software as part of a ransomware attack. Most reports suggest that outdated products with known vulnerabilities that ...
3 years ago Thehackernews.com CVE-2021-21974
VMware urges admins to remove deprecated, vulnerable auth plug-in - VMware urged admins today to remove a discontinued authentication plugin exposed to authentication relay and session hijack attacks in Windows domain environments via two security vulnerabilities left unpatched. The vulnerable VMware Enhanced ...
2 years ago Bleepingcomputer.com CVE-2024-22245 CVE-2024-22250
VMware fixes critical code execution flaw in vCenter Server - VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers. vCenter Server is the central management hub for VMware's vSphere suite, and it helps ...
2 years ago Bleepingcomputer.com CVE-2023-34048 CVE-2023-34056
VMware ESXi and Workstation Vulnerabilities Let Attackers Execute Malicious Code on Host - Multiple severe vulnerabilities have been addressed affecting VMware ESXi, Workstation, Fusion, and Tools that could allow attackers to execute malicious code on host systems. However, on VMware Workstation and Fusion desktop platforms, successful ...
7 months ago Cybersecuritynews.com
Russians break into Microsoft as Chinese hit VMware users The Register - A VMware security vulnerability has been exploited by Chinese cyberspies since late 2021, according to Mandiant, in what has been a busy week for nation-state espionage news. On Friday VMware confirmed CVE-2023-34048, a critical out-of-bounds write ...
2 years ago Go.theregister.com CVE-2023-34048 Hunters
VMware fixes critical Cloud Director auth bypass unpatched for 2 weeks - VMware has fixed a critical authentication bypass vulnerability in Cloud Director appliance deployments, a bug that was left unpatched for over two weeks since it was disclosed on November 14th. Cloud Director is a VMware platform that enables admins ...
2 years ago Bleepingcomputer.com CVE-2023-34060
Latest Information Security and Hacking Incidents - The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a ...
2 years ago Cysecurity.news Qilin
CVE-2025-41233 - Description: ...
9 months ago
41,500+ VMware ESXi Instances Vulnerable to Code Execution Attacks - We are scanning & reporting out VMware ESXi CVE-2025-22224 vulnerable instances ("a malicious actor with local admin privileges on a virtual machine may exploit this to execute code as virtual machine's VMX process running on ...
1 year ago Cybersecuritynews.com CVE-2025-22224
VMWare discloses critical VCD Appliance auth bypass with no patch - VMware disclosed a critical and unpatched authentication bypass vulnerability affecting Cloud Director appliance deployments. Cloud Director enables VMware admins to manage their organizations' cloud services as part of Virtual Data Centers. The auth ...
2 years ago Bleepingcomputer.com CVE-2023-34060
Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years - One of the most serious VMware vulnerabilities in recent memory was secretly being exploited by a Chinese advanced persistent threat for years before a patch became available. In a sign of just how severe this particular issue was, VMware went so far ...
2 years ago Darkreading.com CVE-2023-34048 CVE-2023-20867
Enzoic for AD Lite Data Shows Increase in Crucial Risk Factors - The 2023 data from Enzoic for Active Directory Lite data from 2023 offers a revealing glimpse into the current state of cybersecurity, highlighting a significant increase in risk factors that lead to data breaches. The free password auditor has been ...
2 years ago Securityboulevard.com
VMware warns admins of public exploit for vRealize RCE flaw - VMware warned customers on Monday that proof-of-concept exploit code is now available for an authentication bypass flaw in vRealize Log Insight. "Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published," ...
2 years ago Bleepingcomputer.com CVE-2023-34051
Chinese Espionage Group Has Exploited VMware Flaw Since 2021 - A Chinese espionage group spotted last year by Mandiant researchers abusing a flaw that affected VMware virtualization tools has been exploiting another zero-day vulnerability in VMware's vCenter Server since at least late 2021, according to the ...
2 years ago Securityboulevard.com CVE-2023-34048 CVE-2023-20867
BERT Ransomware Forcibly Shut Down ESXi Virtual Machines to Disrupt Recovery - A newly emerged ransomware group known as BERT has introduced a particularly disruptive capability that sets it apart from traditional ransomware operations: the ability to forcibly terminate ESXi virtual machines before encryption, significantly ...
8 months ago Cybersecuritynews.com
The most popular passwords of 2023 are easy to guess and crack - Each year, analysts at various Internet security companies release lists of the most used passwords. ADVERTISEMENT. The passwords that are on these lists may act as a warning for any Internet and electronic device user. Some common passwords have ...
2 years ago Ghacks.net
Broadcom fixes three VMware zero-days exploited in attacks - CVE-2025-22225 is an ESXi arbitrary write vulnerability that allows the VMX process to trigger arbitrary kernel writes, leading to a sandbox escape, while CVE-2025-22226 is described as an HGFS information-disclosure flaw that lets threat actors with ...
1 year ago Bleepingcomputer.com CVE-2025-22225
RansomHouse gang automates VMware ESXi attacks with new MrAgent tool - The RansomHouse ransomware operation has created a new tool named 'MrAgent' that automates the deployment of its data encrypter across multiple VMware ESXi hypervisors. RansomHouse is a ransomware-as-a-service operation that emerged in December 2021 ...
2 years ago Bleepingcomputer.com LockBit

Latest Cyber News


    Cyber Trends (last 7 days)


    Trending Cyber News (last 7 days)