The Defender's Advantage Podcast How vSphere Became a Target for Adversaries
17 snips
Sep 15, 2025 In this discussion, Stuart Carrera, a Senior Consultant at Mandiant with deep expertise in vSphere security, reveals why threat actors are now targeting VMware environments. He highlights how vSphere's unique features, like AD integrations and the absence of effective detection tools, make it appealing for ransomware and espionage. Stuart shares tactics used in attacks, including backdoors and rapid ransomware execution. He also offers practical hardening tips, urging organizations to treat vSphere as a crucial asset to mitigate risks effectively.
AI Snips
Chapters
Transcript
Episode notes
vSphere Is Everywhere And Critical
- VMware vSphere remains ubiquitous in enterprise on-prem datacenters and runs many critical workloads.
- Its stability and wide adoption make it a high-value, high-impact target for attackers.
vCenter And ESXi Are Detection Blind Spots
- ESXi and vCenter cannot host EDR or traditional antivirus, creating visibility blind spots.
- That lack of endpoint protection shifts the detection burden to logging and detection engineering.
Hypervisor Compromise Equals Wide Blast Radius
- Organizations often run domain controllers, SIEMs, and PAM as virtual machines inside vSphere.
- Compromising the hypervisor can therefore grant control over an entire infrastructure and data.