Blog | Scenario

ESXiArgs VMware Ransomware

ByDetecteam 2023-06-132023-06-13

TLP

TLP CLEAR

Author

Jordi Lobo

Summary

ESXiArgs VMware Ransomware: Massive VMware: Ransomware attack targeting the VMware ESXi hypervisor. Exploits CVE-2021-21974 vulnerability: This vulnerability affects the Service Location Protocol (SLP) service and allows attackers to exploit arbitrary code remotely. The systems currently targeted are ESXi hypervisors in version 6.x, prior to 6.7, CERT-FR stated.

OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

The /store/packages/vmtools.py file is the same custom Python backdoor for VMware ESXi server discovered by Juniper in December 2022, allowing the threat actors to remotely access the device.

DATA

paloalto_firewall_traffic.log_Download

TIMELINE

references

MITRE ATT&CK

Blog | Scenario

Shadowpad, PlugX, China Chopper, Stowaway RAT
ByDetecteam 2023-12-072023-12-07

TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary This week, we share data from another attack being exploited. In mid-Autumn 2021, Kaspersky experts uncovered a ShadowPad malware campaign targeting a national telecom company in Pakistan. The attack, presumed to have begun in winter 2021, exploited MS Exchange vulnerability (CVE-2021-26855) to install a Cobalt…

Read More Shadowpad, PlugX, China Chopper, Stowaway RAT
Blog | Scenario

Volt Typhoon
ByDetecteam 2023-10-052023-10-05

TLP TLP TLP CLEAR Author Jordi M. Lobo Summary Microsoft has uncovered a stealthy and targeted malicious campaign led by Volt Typhoon, a state-sponsored actor from China, with a focus on post-compromise credential access and network system discovery. Their primary targets are critical infrastructure organizations in the United States, including sectors such as communications, manufacturing,…

Read More Volt Typhoon
Blog

Detecting Salesforce leaks after Salesloft Drift breach
BySebastien Tricaud 2025-09-242025-09-24

Summary Salesloft was breached in August, resulting in Drift marketing token re-use in Salesforce based on the popular Salesforce integration. Drift collects quite a bit of information from prospects and customers alike, making the cache of that data gathered from token abuse very useful today as well as down the road. Since August 8th 2025,…

Read More Detecting Salesforce leaks after Salesloft Drift breach
Blog | Scenario

GhostEmperor
ByDetecteam 2023-11-292023-11-29

TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary This week, we share data from another attack being exploited. In August 2022, analysts uncovered a cyber attack on a government-run Indonesian company by the APT group GhostEmperor. Known since 2021, GhostEmperor specializes in cyberespionage across sectors, employing tactics such as phishing, software exploits, and…

Read More GhostEmperor
Blog | Scenario

Snatch Ransomware
ByDetecteam 2023-10-192023-10-19

TLP TLP TLP CLEAR Author Jordi M. Lobo Summary In a recent cyber attack, the Snatch Team used RDP brute force to infiltrate a network and rapidly executed a series of sophisticated actions within a short time frame. They gained initial access by logging into a Domain Administrator (DA) account, performed various commands, and initiated…

Read More Snatch Ransomware
Blog | Scenario

BumbleBee malware loader
ByDetecteam 2023-06-292023-06-29

TLP TLP TLP CLEAR Author David Deflache Summary This case involves a sophisticated intrusion that occurred over an 11-day period. The threat actors initiated the attack by sending an email with a link to download a password-protected zip file containing an ISO file. Upon extraction, the ISO file mounted as a CD and executed a…

Read More BumbleBee malware loader

TLP