Nation-State | Hypervisor Persistence

Welcome reader, here’s today’s Daily Cyber Insight.

Brought to you by:

👣 Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 📊 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Access all deep dives, weekly cyber intel reports, premium research, the AI Resume Builder, and more — $299/year. Corporate plans available.

Executive Snapshot Your virtualization layer was designed for efficiency, not defense. PRC actors maintained undetected access to VMware vCenter infrastructure for 17 months before discovery, treating your hypervisor as a permanent forward operating base.

Signal BRICKSTORM's self-reinstalling persistence and DNS-over-HTTPS concealment reveal that adversaries are treating virtualization management consoles as durable implant platforms, not transient footholds.

Strategic Implication Your security architecture likely monitors guest VMs while ignoring the hypervisor layer that controls them all.

Action Scan all VMware vCenter and ESXi hosts using CISA-published YARA and Sigma rules today. Block unauthorized DNS-over-HTTPS providers at the network edge and monitor for anomalous DoH traffic from infrastructure servers now. Audit all vpxuser and service account credentials across virtualization infrastructure and implement network segmentation between DMZ and vCenter management planes this week.