{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/virtualization/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["BRICKSTORM"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["vsphere","virtualization","brickstorm","persistence","lateral-movement"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe BRICKSTORM campaign targets VMware vSphere environments, with a focus on the vCenter Server Appliance (VCSA) and ESXi hypervisors. This campaign, building on previous BRICKSTORM research, highlights the increasing threats targeting virtualized infrastructure. By gaining persistence at the virtualization layer, attackers bypass traditional security measures, such as endpoint detection and response (EDR) agents, which are often ineffective in these environments. The attackers exploit weak security architectures, identity design flaws, lack of host-based configuration enforcement, and limited visibility within the virtualization layer. This allows them to maintain long-term persistence and gain administrative control over the entire vSphere environment, making the VCSA a prime target due to its centralized control. This activity is not due to vendor vulnerabilities but rather misconfigurations and security gaps. vSphere 7 reached End of Life (EoL) in October 2025, so organizations using this version are at increased risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the vSphere environment, potentially through compromised credentials or vulnerabilities in externally facing services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVCSA Compromise:\u003c/strong\u003e The attacker targets the vCenter Server Appliance (VCSA) to gain centralized control over the vSphere environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges within the VCSA to gain root or administrative access to the underlying Photon Linux OS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by modifying system files or creating malicious services that survive reboots. This may involve writing scripts to \u003ccode\u003e/etc/rc.local.d\u003c/code\u003e or modifying startup files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised VCSA to move laterally to other ESXi hosts and virtual machines within the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e The attacker accesses the underlying storage (VMDKs) of virtual machines, bypassing operating system permissions and traditional file system security, to exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eControl of ESXi Hosts:\u003c/strong\u003e The attacker resets root credentials on any managed ESXi host, providing full control of the hypervisor.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker can power off, delete, or reconfigure any virtual machine, encrypt datastores, disable virtual networks, and exfiltrate data. The ultimate objective could be data theft, disruption of services, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful BRICKSTORM attack can have severe consequences, including complete compromise of the vSphere environment. This can lead to data exfiltration of Tier-0 assets, disruption of critical services (such as domain controllers), and potential ransomware deployment across all virtual machines. Organizations may face significant financial losses, reputational damage, and legal liabilities. The lack of command-line logging on the Photon OS shell further hinders incident response efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eHarden the vCenter Server Appliance (VCSA) by implementing the security configurations recommended in the Mandiant vCenter Hardening Script (reference: vCenter Hardening Script link in Overview).\u003c/li\u003e\n\u003cli\u003eImplement logging and monitoring for the Photon OS shell to detect unauthorized access and command execution (reference: Phase 4 in Content).\u003c/li\u003e\n\u003cli\u003eUpgrade to a supported version of vSphere to receive critical security patches (reference: vSphere 7 End of Life in Content).\u003c/li\u003e\n\u003cli\u003eEnable Secure Boot, strictly firewall management interfaces, and disable shell access on ESXi hosts and the VCSA (reference: Technical Hardening in Content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect modifications to startup files for persistence on Photon OS (reference: Sigma rule: \u0026ldquo;Detect Startup File Modification in Photon OS\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:55:05Z","date_published":"2026-04-02T13:55:05Z","id":"/briefs/2026-04-brickstorm-vsphere/","summary":"The BRICKSTORM malware targets VMware vSphere environments, specifically vCenter Server Appliance (VCSA) and ESXi hypervisors, by exploiting weak security configurations to establish persistence at the virtualization layer, leading to administrative control and potential data exfiltration.","title":"BRICKSTORM Malware Targeting VMware vSphere Environments","url":"https://feed.craftedsignal.io/briefs/2026-04-brickstorm-vsphere/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["virtualization","hypervisor","qemu","virtio-snd","heap overflow","hypervisor escape"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA recently disclosed vulnerability in the QEMU virtualization platform allows a malicious guest operating system to escape the hypervisor and potentially execute code on the host system. The vulnerability resides in the \u003ccode\u003evirtio-snd\u003c/code\u003e component, which emulates a sound card for virtual machines. The root cause is an uncontrolled heap overflow that can be triggered by a specially crafted audio stream sent from the guest to the host. While specific details of the vulnerability and its exploitation are not provided in the source document, it is important for defenders to understand the potential impact of such a vulnerability and take appropriate measures to mitigate the risk. Successfully exploiting this type of vulnerability would allow an attacker to gain complete control over the underlying host system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a guest virtual machine (VM) through a compromised application or vulnerable service running within the VM.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their access within the guest VM to send a specially crafted audio stream to the emulated \u003ccode\u003evirtio-snd\u003c/code\u003e device.\u003c/li\u003e\n\u003cli\u003eThe crafted audio stream triggers an uncontrolled heap overflow within the QEMU process on the host system.\u003c/li\u003e\n\u003cli\u003eThe heap overflow corrupts memory on the host system, potentially overwriting critical data structures or code.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully manipulates the heap overflow to overwrite function pointers or other execution control data within the QEMU process.\u003c/li\u003e\n\u003cli\u003eWhen the QEMU process attempts to execute the overwritten function pointer, control is redirected to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes within the context of the QEMU process on the host system, allowing them to bypass the VM\u0026rsquo;s isolation.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain root access on the host and compromise the entire system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this QEMU hypervisor escape vulnerability allows a malicious guest operating system to gain complete control over the host system. This can lead to data theft, system compromise, and further lateral movement within the network. The potential impact is significant, especially in cloud environments where multiple VMs share the same physical hardware. Even though specific victim numbers are unavailable, the wide deployment of QEMU implies a broad scope of potential targets across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events on the hypervisor host for QEMU processes spawning child processes with unexpected command-line arguments, as this could indicate exploitation (see rule: \u0026ldquo;Detect QEMU Process Spawning Shell\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable network connection logging for QEMU processes on the hypervisor host to detect connections to unusual or malicious IP addresses, which may be used for command and control after a hypervisor escape (see rule: \u0026ldquo;Detect QEMU Outbound Network Connection\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any unusual or suspicious behavior within guest VMs, such as unexpected resource utilization or network activity, as this may indicate an attempt to exploit the \u003ccode\u003evirtio-snd\u003c/code\u003e vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T05:19:00Z","date_published":"2026-03-19T05:19:00Z","id":"/briefs/2026-03-qemu-escape/","summary":"An unpatched vulnerability in QEMU's virtio-snd component allows for a hypervisor escape due to an uncontrolled heap overflow.","title":"QEMU Hypervisor Escape via virtio-snd 0-Day","url":"https://feed.craftedsignal.io/briefs/2026-03-qemu-escape/"}],"language":"en","title":"CraftedSignal Threat Feed — Virtualization","version":"https://jsonfeed.org/version/1.1"}