“The threat actor demonstrated a deep understanding of the target environment’s network architecture and policies, effectively navigating segmentation controls to reach internal, presumably isolated assets,” Sygnia said in a blog post. “By compromising network infrastructure and tunneling through trusted systems, the threat actor systematically bypassed segmentation boundaries, reached isolated networks, and established cross-segment persistence.”
The attackers constantly adapted their techniques, such as altering tools, disguising files, and deploying redundant persistence backdoors, to evade detection and regain access after cleanup.
Sygnia has advised organizations to patch vulnerable VMware components, rotate secure service account credentials, and enforce ESXi lockdown mode to restrict host access. It also recommends using dedicated admin jump hosts, segmenting management networks, and expanding monitoring to include vCenter, ESXi, and appliances that often lack traditional endpoint visibility.
