Selling access to corporate virtualisation servers

May 17, 2021 · frtg · 2 min read

In recent weeks, two unaffiliated criminal groups operating as Access Brokers (reselling infrastructure access) have been identified selling computational access to ESXi servers across multiple organizations worldwide.

The threat actors appear to have exploited specific vulnerabilities to gain access to servers exposed on public networks.

Access Sales Details

Recent Observed Activity

During the final quarter of 2020, multiple offerings of access to compromised servers via VMware vCenter and ESXi vulnerabilities were discovered. In certain listings, privilege levels remain unspecified; however, vendors provide technical specifications including server type (for example, ESX ROOT access) and hardware details such as RAM, CPU, and storage capacity. Such information enables prospective buyers to assess operational feasibility—for instance, cryptocurrency mining deployment.

In these cases, asset type is specified but access methodology is often omitted, typically provisioned via RDP protocol, VPN, or other mechanisms.

Identified Access Brokers

The access brokers observed in listings from preceding months claiming infrastructure compromise via VMware software vulnerabilities have been identified under the usernames drumrlu and 3lv4n.

Recent postings were most likely published by the same threat actors tracked in previous months.

Current Transaction Status

Currently, an increasing proportion of black market transactions occur through private communications rather than public listings. This operational shift restricts visibility to vendors’ “trusted” users, thereby reducing exposure to security researchers documenting compromised infrastructure indicators. Cyber Threat Intelligence collection efforts must adapt to track these private channels to maintain visibility into emerging access broker activity.

Exploited Vulnerabilities

CVE-2021-21972 – vSphere Client (HTML5)

This vulnerability permits arbitrary code execution with unrestricted privileges on the operating system hosting vCenter Server to any actor with access to port 443. Affected server versions include:

VMware vCenter Server
- 7.x prior to 7.0 U1c
- 6.7 prior to 6.7 U3l
- 6.5 prior to 6.5 U3n
VMware Cloud Foundation
- 4.x prior to 4.2
- 3.x prior to 3.10.1.2

CVE-2020-3992 – OpenSLP

This vulnerability permits remote code execution by threat actors with access to port 427 on an ESXi host through use-after-free exploitation of the OpenSLP service. Affected ESXi versions include:

7.0 prior to ESXi_7.0.1-0.0.16850804
6.7 prior to ESXi670-202010401-SG
6.5 prior to ESXi650-202010401-SG

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.