{"id":2298,"date":"2021-05-17T12:39:42","date_gmt":"2021-05-17T10:39:42","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2298"},"modified":"2026-06-08T22:43:40","modified_gmt":"2026-06-08T22:43:40","slug":"virtualisation-server-access-sale","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/virtualisation-server-access-sale\/","title":{"rendered":"Selling access to corporate virtualisation servers"},"content":{"rendered":"\n<p style=\"text-align: justify\">In recent weeks, two unaffiliated criminal groups operating as <strong><em>Access Brokers<\/em><\/strong> (reselling infrastructure access) have been identified selling computational access to ESXi servers across multiple organizations worldwide.<\/p>\n<p style=\"text-align: justify\"><span>The threat actors appear to have exploited specific vulnerabilities to gain access to servers exposed on public networks.<\/span><\/p>\n\n\n\n<div class=\"wp-block-cover has-background-dim\" style=\"background-image:url(https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/11\/threat_intel.gif)\"><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<h2 class=\"has-text-align-center wp-block-heading\"><strong><span style=\"color:#000000\" class=\"tadv-color\"><span style=\"background-color:#ffffff\" class=\"tadv-background-color\">Access Sales Details<\/span><\/span><\/strong><\/h2>\n<\/div><\/div>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">Recent Observed Activity<\/h2>\n\n\n\n<p style=\"text-align: justify\">During the final quarter of 2020, multiple offerings of access to compromised servers via VMware vCenter and ESXi vulnerabilities were discovered. In certain listings, privilege levels remain unspecified; however, vendors provide technical specifications including server type (for example, ESX ROOT access) and hardware details such as RAM, CPU, and storage capacity. Such information enables prospective buyers to assess operational feasibility\u2014for instance, cryptocurrency mining deployment.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/05\/12new-2-1024x746-1.png\" alt=\"\" class=\"wp-image-2329\" loading=\"lazy\" \/><figcaption>Sale of access to compromised servers<\/figcaption><\/figure>\n\n\n\n<p style=\"text-align: justify\">In these cases, asset type is specified but access methodology is often omitted, typically provisioned via <strong>RDP protocol, VPN, or other mechanisms<\/strong>.<\/p>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">Identified Access Brokers<\/h2>\n\n\n\n<p style=\"text-align: justify\">The access brokers observed in listings from preceding months claiming infrastructure compromise via VMware software vulnerabilities have been identified under the usernames <strong>drumrlu<\/strong> and <strong>3lv4n<\/strong>.<\/p>\n<p style=\"text-align: justify\">Recent postings were most likely published by the same threat actors tracked in previous months.<\/p>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">Current Transaction Status<\/h2>\n\n\n\n<p style=\"text-align: justify\">Currently, an increasing proportion of black market transactions occur through private communications rather than public listings. This operational shift restricts visibility to vendors&#8217; &#8220;trusted&#8221; users, thereby reducing exposure to security researchers documenting compromised infrastructure indicators. <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> collection efforts must adapt to track these private channels to maintain visibility into emerging access broker activity.<\/p>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">Exploited Vulnerabilities<\/h2>\n\n\n\n<h5 class=\"wp-block-heading\">CVE-2021-21972 &#8211; vSphere Client (HTML5)<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">This vulnerability permits arbitrary code execution with unrestricted privileges on the operating system hosting vCenter Server to any actor with access to port 443. Affected server versions include:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>VMware vCenter Server<ul><li>7.x prior to 7.0 U1c<\/li><li>6.7 prior to 6.7 U3l<\/li><li>6.5 prior to 6.5 U3n<\/li><\/ul><\/li><li>VMware Cloud Foundation<ul><li>4.x prior to 4.2<\/li><li>3.x prior to 3.10.1.2<\/li><\/ul><\/li><\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">CVE-2020-3992 &#8211; OpenSLP<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">This vulnerability permits remote code execution by threat actors with access to port 427 on an ESXi host through use-after-free exploitation of the OpenSLP service. Affected ESXi versions include:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>7.0 prior to ESXi_7.0.1-0.0.16850804<\/li><li>6.7 prior to ESXi670-202010401-SG<\/li><li>6.5 prior to ESXi650-202010401-SG<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Initial access brokers offering compromised hypervisors (VMware ESXi, Hyper-V) on underground markets: pricing trends, victim profiles and downstream ransomware risk.<\/p>\n","protected":false},"author":1,"featured_media":2615,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[19,3198,129,130,3196,3195,255,3197,378,381],"class_list":["post-2298","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-access-broker","tag-access-sale","tag-esx","tag-esxi","tag-hyper-v","tag-initial-access-brokers","tag-openslp","tag-underground-markets","tag-vmware","tag-vsphere"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2298","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2298"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2298\/revisions"}],"predecessor-version":[{"id":9866,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2298\/revisions\/9866"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2298"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2298"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2298"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}