VMware vDefend directly conforms to NIST CSF, HIPAA, and PCI DSS requirements, providing organizations with the critical controls needed to satisfy regulatory mandates and mitigate modern threats.

Regulatory compliance has become a strategic imperative across all industry sectors due to a growing global focus on data privacy, supply chain transparency, and operational resilience. This urgency is further amplified by the rapid adoption of AI and the rise of AI-accelerated cyberattacks. These advanced threats often target software vulnerabilities and spread laterally through east-west traffic to access high-value targets such as electronic protected health information (ePHI) or Cardholder Data Environment (CDE). As a result, security and compliance teams must deploy comprehensive controls to provide visibility and enforcement, restrict lateral movement, detect threats, and enable mitigation before damage can occur.

To effectively address these challenges and ensure compliance, organizations must align their security architecture with the necessary control points. This alignment is typically achieved through a layered approach, using regulatory frameworks tailored to their industry, data type, and security maturity:

• The Strategic Baseline (NIST CSF 2.0): A highly flexible, risk-based set of guidelines (Identify, Protect, Detect, Respond, Recover). It is often used as a baseline for overall cybersecurity maturity or mapped to fulfill other requirements.
• The Prescriptive Mandates (PCI DSS 4.0.1 & HIPAA): These granular, rules-driven standards are designed to safeguard specialized assets such as cardholder data and ePHI, requiring robust technical boundaries, workload isolation, and deep traffic surveillance.

To provide an objective, professional evaluation of vDefend’s alignment with these mandates, VMware partnered with Coalfire, a leading independent cybersecurity advisory firm. This partnership resulted in the publication of authoritative Product Applicability Guides (PAGs), which provide a detailed assessment of VMware vDefend’s capabilities against established regulatory requirements.

VMware vDefend is a comprehensive Zero Trust lateral security solution designed to protect against cyber threats. This hypervisor-native, software-defined solution provides deep visibility into both network and application activities, effectively eliminating security blind spots. It enforces a multi-layered defense and mitigation strategy against ransomware and advanced persistent threats. 

VMware vDefend is a comprehensive lateral security solution that includes multiple capabilities: distributed and gateway firewalls (DFW, GFW), distributed Intrusion Detection and Prevention Service (IDS/IPS), Malware Prevention Service (MPS), Network Detection and Response (NDR) with an NDR Sensor, and Network Traffic Analysis (NTA). This solution offers deep traffic visibility and creates a closed-loop security system for VCF private cloud, ensuring visibility, prevention, detection, and mitigation of cyber threats.

The following sections explore how VMware vDefend aligns with the essential lifecycle mandates of these critical compliance frameworks.

The Strategic Baseline: NIST CSF 2.0

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 serves as a foundation for modern security design. Rather than offering a simple checklist, it presents a systematic approach organized around five key technical functions: Identify, Protect, Detect, Respond, and Recover.

The following sections detail how vDefend’s comprehensive security capabilities align with the objectives of each NIST framework function.

Identify

Proper identification and mapping of various critical IT assets form the foundation of a comprehensive defense strategy. With vDefend, enterprises can organize workloads statically or dynamically using a tag-based labeling system to trigger specific security policies. Static policies apply to a fixed set of tagged workloads, while dynamic policies automatically adjust and apply based on ‌specific tags. This dynamic enforcement ensures that the corresponding level of compliance, be it regulatory (e.g., HIPAA, PCI DSS) or internal security posture requirements, is met instantly and consistently as new workloads are spun up or existing ones change.

VMware vDefend’s Security Intelligence provides real-time, distributed visibility across the entire data center and cloud infrastructure by continuously monitoring and analyzing all identified traffic flows between workloads. By observing these communication patterns, the Security Intelligence platform can automatically detect and map the “desired” or “baseline” behavior of applications. Based on this traffic flow analysis, the platform provides highly calibrated, actionable policy recommendations that can significantly reduce the attack surface and enhance the overall security posture.

With a clearly identified asset inventory and defined policy baselines, the focus then shifts to proactive enforcement.

Protect

Protecting enterprise workloads from known and previously unseen (zero-day) threats is a core capability of the vDefend solution.

While vDefend Gateway Firewall (GFW) provides conventional NGFW edge controls, albeit with a modern software-defined architecture, the vDefend Distributed Firewall (DFW) employs a distributed (and scale-out) ‘security-per-workload’ model, ‌securing each workload at the virtual NIC layer. Lateral movement, the technique in which attackers pivot from a compromised system to high-value targets, is the primary mechanism by which modern threats, such as sophisticated ransomware and advanced persistent threats, spread internally. By enforcing security policies for every workload, vDefend DFW effectively stops unauthorized lateral movement and restricts breaches from spreading. This critical defense-in-depth mechanism dramatically shrinks the attack surface to an individual workload.

While the Distributed Firewall restricts spread, continuous detection is required to flag anomalies and sophisticated threats that bypass conventional defenses.

Detect

The Detect function focuses on identifying a cybersecurity event in real time, not just after the fact, enabling rapid response and containment. In today’s dynamic threat landscape, this function has undergone a significant transformation. vDefend Advanced Threat Prevention (ATP) has evolved the detection capability by leveraging a multi-layered approach to threat detection, ensuring that security gaps are minimized and evasive threats are captured:

• Distributed Intrusion Detection/Prevention System (IDS/IPS): The vDefend distributed IDS/IPS inspects network traffic and actively matches traffic patterns against an extensive, continuously updated library of over 10,000 known threat and vulnerability signatures. This distributed deep inspection – applied on a per-workload basis – is crucial for detecting both external attacks and east-west traffic anomalies, and for identifying potential vulnerabilities before they can be exploited.
• Network Traffic Analysis (NTA): NTA detects highly sophisticated attacks that bypass perimeter defenses by using behavioral analytics and machine learning on network metadata and flow information. NTA excels at immediately flagging subtle signs of an ongoing internal breach, particularly lateral movement, a key indicator of a successful intrusion.
• Sandboxing for Malware Analysis: vDefend provides an advanced sandboxing feature to neutralize the threat of zero-day exploits and polymorphic malware. This technology isolates suspicious files and URLs in a secure, virtualized environment (the “sandbox”), where the file is “detonated” or executed within a limited blast radius to observe the true behavior. If the file exhibits malicious characteristics, it is blocked, and the signature information is updated to prevent future occurrences.
• Network Detection and Response (NDR): vDefend NDR correlates multiple disparate data points from various sources into visually intuitive attack maps. These detailed, chronological, and graphical representations of an attack campaign result in highly relevant, actionable security intelligence for security teams. 

Taken together, these capabilities give organizations a holistic, real-time picture of threats across their environment. The comprehensive, correlated data and visual attack maps also serve as verifiable evidence of due diligence during audits.

Respond

The response involves a rapid, coordinated incident management effort to contain threats and minimize damage. 

When a threat is detected, vDefend can automatically trigger a Quarantine Policy, moving the infected VM into an isolated “Security Group” with access limited to forensics tools. When coupled with correlated intrusion campaign data from NDR, the incident management team can visualize the entire attack chain on a map. Furthermore, vDefend’s advanced troubleshooting tools—such as traceflow, packet capture, and detailed firewall logs—provide the forensic data needed to demonstrate compliance during an audit.

Once the immediate threat is contained and the attack chain is documented, the final step is ensuring full operational recovery.

Recover

The Recover function focuses on the rapid and complete restoration of services to the pre-incident operational state, ensuring the integrity of all reinstated data. VMware vDefend offers robust capabilities for incremental and full configuration backups. Furthermore, integrating VMware Live Recovery with vDefend significantly enhances the overall resilience strategy, covering both incident response and subsequent recovery.

In summary, the VMware vDefend solution enables foundational security controls that not only provide enterprise-grade protection but also streamlines the complex process of achieving and maintaining continuous compliance across diverse regulatory landscapes. Coalfire’s evaluation recognizes vDefend for its excellent structural coverage throughout the entire NIST lifecycle.

Coalfire assessed vDefend against all 106 subcategories in NIST CSF 2.0, and the results demonstrate the breadth and depth of vDefend’s compliance coverage. vDefend achieves full or strong coverage across the vast majority of applicable subcategories. The ability to monitor, inspect, and enforce policy on east-west traffic within a VCF environment is the architectural advantage that drives this coverage, translating directly into measurable, assessor-validated outcomes across Identify, Protect, Detect, and Respond.

It is worth noting that NIST CSF 2.0 is intentionally broad — many of its subcategories address organizational and business processes that extend beyond any single technology platform. vDefend delivers deep, validated coverage of the technical control layer, and when combined with the organizational security program built around it, organizations are strongly positioned to demonstrate comprehensive CSF 2.0 alignment.

The detailed NIST CSF 2.0 Product Applicability Guide is available here. 

The Prescriptive Mandates: PCI DSS 4.0.1 & HIPAA

In contrast to the broad NIST framework, data-specific regulations such as PCI DSS and HIPAA involve highly prescriptive technical requirements. Whether securing credit card data or electronic health records, vDefend serves as an essential, independently validated technical control point for both standards. The sections below explain these in detail.

PCI DSS 4.0.1 Alignment

The Payment Card Industry Data Security Standard places a strong emphasis on isolating the Cardholder Data Environment (CDE) and restricting access to it. In a virtualized environment, this means enforcing precise east-west traffic controls—the core architecture vDefend is built around. Coalfire’s Product Applicability Guide highlights vDefend’s coverage across all 12 major PCI DSS requirements:

Note: Requirements 3 and 9 are marked N/A as they address stored account data and physical access controls, respectively — areas outside the scope of a network security platform.

The detailed PCI DSS 4.0.1 Applicability Guide is available here. 

HIPAA Technical Safeguards Mapping

In healthcare environments, the stakes of inadequate security controls are particularly high. East-west traffic between clinical applications, databases, and administrative systems creates a wide attack surface for ePHI exposure. vDefend directly addresses this risk through its distributed enforcement model.

Under the HIPAA Security Rule, healthcare covered entities must deploy specific technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Coalfire’s validation confirms that vDefend aligns directly with these rigorous provisions: 

The Administrative Safeguards (requirements 1–5) address process and access governance; the Technical Safeguards (requirements 6–9) enforce those controls at the system level. vDefend is independently validated across all nine, providing covered entities with a strong, documentable compliance foundation.

The detailed HIPAA Applicability Guide can be found here. 

VMware vDefend provides essential technical control points for data-specific regulations. Coalfire’s validation confirms its direct alignment with both the PCI DSS 4.0.1 requirements for isolating the Cardholder Data Environment (CDE) and the HIPAA Security Rule’s rigorous provisions for safeguarding the confidentiality, integrity, and availability of ePHI.

Conclusion

VMware vDefend delivers a comprehensive set of control points for both broad frameworks, such as NIST CSF, and data-specific compliance mandates, such as PCI DSS and HIPAA. Adopting VMware vDefend allows organizations to implement a robust security strategy while gaining the necessary control points for compliance. By integrating visibility, prevention, detection, and mitigation directly into a closed-loop security system, vDefend significantly accelerates an organization’s journey toward a Zero Trust posture and continuous compliance. 

To learn more about the benefits of vDefend, see the links below.

• vDefend Product Applicability Guide for PCI-DSS
• vDefend Product Applicability Guide for HIPAA
• vDefend Product Applicability Guide for NIST CSF 2.0
• VMware vDefend Distributed Firewall
• VMware vDefend Advanced Threat Prevention
• VMware vDefend Datasheet
• vDefend DFW 1-2-3-4: A Prescriptive Path to Zero Trust Microsegmentation
• VMware vDefend How to Videos on YouTube

The post Validated Compliance: VMware vDefend Conforms with NIST CSF, HIPAA and PCI DSS appeared first on VMware Security Blog.

In the past, data center security mostly relied on perimeter protection—”building walls” to keep bad actors out. Today, safeguarding the data center’s “east-west” or lateral traffic traversing within applications and data is just as critical. Threat actors are leveraging “Frontier AI” security models to automate and accelerate attacks against private cloud workloads. 

To help enterprises achieve best-of-breed protection with significantly reduced complexity, we are excited to announce new VMware vDefend blueprints to speed up lateral security roll-out across VCF private cloud workloads and help organizations quickly buy down risk. The “Lateral Security for VMware Cloud Foundation with VMware vDefend” VVS is now integrated into core VCF 9.1 design documentation as “Lateral Security with vDefend” Blueprints. The blueprints for Securing the Management and Workload domains are now included with the core VCF 9.1 design documentation.

Here is a closer look at what this change means, what these blueprints cover, and how you can start using them to modernize your private cloud security and protect against both conventional and AI attacks.

What are the Design Blueprints for VMware Cloud Foundation?

A blueprint is a prescriptive, end-to-end architecture designed to accelerate your time-to-value when building and operating a VMware Cloud Foundation (VCF) private cloud platform. It provides predefined deployment models that conform to specific profiles. A blueprint also includes a set of planning, implementation, and design elements (requirements and recommendations) tailored to the selected deployment model. You can streamline your VCF private cloud provisioning by using them as a template, swapping out models to match your unique infrastructure layout.

What does Lateral Security with vDefend Blueprints cover?

The Lateral Security with vDefend Blueprints describes the architectural components and design selections required to provide unified, enterprise-grade security services for a VMware Cloud Foundation platform using VMware vDefend security solutions.

The design consists of three individual blueprints that cover pre-defined models to address network and application security corners of your platform:

• Security Services Platform for VCF: Outlines the design details, planning and preparation, and implementation steps for deploying the vDefend Security Services Platform on VCF.
• Management Domain Security: Tailored guidelines to protect the critical management components powering the VCF and establish a foundational, security-robust private cloud environment.
• Workload Domain Security: Dedicated blueprint aimed at utilizing the vDefend DFW-1-2-3-4 staged prescriptive workflow to meet the Zero Trust lateral security model for applications within a VCF workload domain.

Getting Started

Ready to eliminate blind spots and lock down your east-west traffic? Check out the new Lateral Security with vDefend design blueprints today and take your private cloud security to the next level.

Summary

By integrating VMware Validated Solutions into the core VCF 9.1 design documents, Broadcom aims to streamline documentation and provide straightforward guidance for building a robust, secure private cloud.

The Lateral Security with vDefend Blueprints equips you with verified configurations and guidelines to streamline setup, reduce guesswork, and accelerate the path to a cyber-resilient private cloud. Whether you’re new to security or an experienced professional, these blueprints make it easier than ever to transform your security plans into a practical security strategy.

Deployment and Design Resources:

Design Library for vDefend

Securing vSphere Supervisor and VKS

DFW 1-2-3-4: Security Journey Self-Deployment Guide

The post Introducing VMware vDefend Lateral Security Design Blueprints for VCF 9.1 appeared first on VMware Security Blog.

We would like to bring your attention to a security bulletin from AMD: AMD-SN-2001: Ionic Driver Vulnerabilities.

The bulletin details three vulnerabilities — CVE-2025-62623, CVE-2025-62624, and CVE-2025-62627 — present in the AMD ionic cloud driver for VMware ESX. These issues affect ESX hosts using AMD-Pensando DPU (Data Processing Unit) products.

We strongly encourage you to review the bulletin if you are using AMD-Pensando DPU products.

For technical inquiries, please contact VMware Support for assistance.

The post AMD Ionic Driver Vulnerabilities Affecting VMware ESX appeared first on VMware Security Blog.

Update, May 16, 2026

Pwn2Own 2026 has finished and we have witnessed one successful attempt on our products. On May 16, 2026, Nguyen Hoang Thach of STARLabs SG successfully demonstrated an exploit targeting VMware ESX.

We are actively working on the remediation and we plan to publish a VMware Security Advisory to provide information on updates for the affected products.

We would like to thank the Zero Day Initiative (ZDI) for allowing us to participate and the team from STARLabs SG for working with us to address the reported issue.

Initial post

The Broadcom PSIRT Team (VCF Division) is pleased to announce VMware’s participation in Pwn2Own Berlin 2026, organized by the Zero Day Initiative (ZDI). The competition will run from May 14–16, alongside OffensiveCon in Berlin, Germany.

Members of our team will be on-site to validate any VMescape demonstrations on ESX. If you are attending and have any questions for us, we would be happy to connect with you in-person.

VMware ESX continues to be a primary target in the virtualization category. A successful VMescape demonstration carries prize money of $150,000, with an additional $50,000 bonus available. This year, the contest is limited to ESX as VMware Workstation has been removed from the competition’s target list.

We would like to thank the Zero Day Initiative (ZDI) for the opportunity to participate. We will update this post as additional details become available. To stay informed on the latest VMware Security Advisories (VMSAs), please sign up here.

The post VMware at Pwn2Own Berlin 2026 appeared first on VMware Security Blog.

New enhancements include Self-Service Lateral Security with VCF Automation, Unified Lateral Threat Prevention for VMs and VKS Workloads, High-Performance Threat Prevention with IDPS Turbo Mode, and Enhanced Distributed Firewall capabilities.

The rapid adoption of production AI workloads is reshaping the enterprise technology landscape, driving the growth of Kubernetes environments alongside existing VM-based infrastructure. As organizations deploy AI agents and AI workloads across private cloud environments spanning VMs and Kubernetes, the attack surface becomes larger and more dynamic. The result is a rapidly evolving threat landscape, driving the need to secure both VM- and Kubernetes-based environments efficiently and consistently.

Recent incidents, including the CISA-reported BRICKSTORM malware activity and the rise of AI-assisted semi-autonomous cyberattacks, underscore that adversaries are now operating at machine speed. At the same time, enterprises face several practical challenges: reducing the attack surface to prevent lateral propagation of threats, securing workloads at the speed of application deployments, enforcing consistent security across VMs and Kubernetes environments, delivering the performance required for AI and high-capacity workloads, and consolidating security within the core platform rather than relying on fragmented point solutions.

VMware vDefend is integrated with the VMware Cloud Foundation (VCF) platform, providing plug-and-play zero-trust lateral security that protects modern distributed workloads, including AI and high-performance computing, without compromising the performance and agility they demand.

vDefend’s hypervisor-native, distributed, software-defined model provides a closed-loop security architecture that uniquely enables visibility, prevention, detection, and mitigation for comprehensive multi-layer defense. Additionally, vDefend’s distributed policy orchestration allows policies to be created once and automatically enforced as workloads are created or moved.

New vDefend innovations for VCF 9.1

• Self-Service Lateral Security with VCF Automation: VCF Automation’s Self-Service Lateral Security enables infrastructure and security teams to establish guardrails, such as predefined VPC security profiles and delegated distributed firewall (DFW) settings, allowing tenant admins to access security features on demand. This facilitates quicker application onboarding and ensures a uniform security baseline across all tenants.
  
• Unified Lateral Threat Prevention for VMs and VKS Workloads: As agentic AI and cloud-native applications drive Kubernetes adoption, VMware vSphere Kubernetes Service (VKS) clusters can now be inspected and protected by the same high-performance distributed IDS/IPS that currently secures VMs. Security teams get one console, one policy model, and consistent lateral threat prevention across VMs, containers, and bare-metal workloads, eliminating the blind spots attackers exploit. Customers deploy IDS/IPS (1) to meet compliance requirements (PCI-DSS and HIPAA) and (2) to enable virtual patching that quickly protects against software vulnerabilities while patches are rolled out enterprise-wide.
  
• High-Performance Lateral Threat Prevention: The new IDPS Turbo Mode delivers 3x throughput, increasing from 3 Gbps to 9 Gbps per host and up to 9 Tbps per VCF domain, enabling security teams to protect against software vulnerabilities (virtual patching) and behavioral threat detection for modern AI and high-capacity workloads.
• Enhanced Distributed Firewall Capabilities: A 5x increase in Application Identification support for greater L7 visibility and simpler, granular security enforcement. Additionally, identity-based firewalling now supports a federated (multi-site) environment for consistent, simplified policy enforcement.

Built upon these key capabilities, vDefend serves as the comprehensive lateral security foundation for VCF, protecting VMs, containers, and AI workloads. The following sections will detail each of these key features.

Self-Service Lateral Security with VCF Automation

VDefend 9.1 introduces a comprehensive self-service security model that empowers Tenant Admins to manage network security directly within VCF Automation through five system-defined Security Profiles. The VPC Simplified Security feature provides one-click security for Virtual Private Clouds (VPCs) using consistent, repeatable security profiles. Tenant Admins can select a security profile for new and existing VPCs, automatically setting the default security posture and eliminating the need to manually create foundational Distributed Firewall (DFW) rules. The system-defined per-VPC DFW rules cannot be modified manually. Security policies follow a precedence order, with user-defined policies enforced before system-defined VPC security policies. This structure supports a self-service security model with automated DFW policies. In addition, this new release provides granular firewall control for both Distributed and Gateway Firewalls while enabling automated orchestration using Privileged Labels. 

Unified Lateral Threat Prevention for VMs and VKS Workloads

vDefend delivers unified lateral threat prevention by extending its hypervisor-native IDS/IPS capabilities from VMs to vSphere Kubernetes Service (VKS) workloads via CNI integration. This architecture allows security teams to enable IDS/IPS at the pod level. This capability enables vDefend IDS/IPS to continuously inspect traffic, detect, and prevent threats for mixed-mode hosts (VMs and Kubernetes). 

High-Performance Lateral Threat Prevention

VMware vDefend 9.1 delivers a major performance boost with the introduction of “Turbo Mode” for Distributed IDS/IPS, which triples threat-prevention throughput from 3 Gbps to 9 Gbps per host and up to 9 Tbps within a single VCF instance. In addition, this release provides granular control over inspected traffic with exempt actions. The new exempt actions allow security admins to select which traffic to inspect and exclude trusted traffic, such as nightly backup traffic. This also improves efficiency. 

Enhanced Distributed Firewall Capabilities

The Distributed Firewall enhancements include Layer 7 (L7) visibility and simplified policy management based on Application identification. A 5x increase in Application identification, adding ~4,000 new Application IDs, provides enhanced application visibility and enables security teams to create granular firewall rules based on the application itself rather than relying solely on ports and protocols, making security enforcement simpler and more effective. Additionally, federated identity-based firewalling has been introduced to enable uniform policy enforcement across large (multi-site) deployments. 

Conclusion

The rapid growth of AI workloads and distributed infrastructure has made traditional perimeter-based security measures insufficient. This evolving threat landscape is further complicated by AI-assisted, semi-autonomous attacks and the emergence of software vulnerabilities identified by AI models, which greatly widen the attack surface. As a result, lateral security is now an essential part of a comprehensive security strategy, not just an optional addition to perimeter defenses. Security teams need controls that match the agility of their workloads, enforce policies uniformly across containers and VMs, and enable lateral security to prevent the lateral movement of threats. VMware vDefend, along with its new capabilities, enables infrastructure and security teams to implement Zero Trust lateral security to protect VCF workloads at the speed and scale the AI era demands.  

To learn more about vDefend, see the links below.

Resources

• Zero Trust Lateral Security for Kubernetes Workloads on VCF
• vDefend DFW 1-2-3-4: Deploy Zero Trust Microsegmentation

• Advancing Zero Trust Private Cloud with vDefend Lateral Security

• Enhance Lateral Security and Ingress Load Balancing for Kubernetes Workloads

• Broadcom Unveils AI-Ready Lateral Security and App Delivery Innovations

• vDefend Webinar Series
• Customer Case Studies:  St. John’s Health | United States Senate Federal Credit Union | GCI

The post VMware vDefend for VCF 9.1: Zero Trust Lateral Security for the AI Era appeared first on VMware Security Blog.

This article was originally published December 2025 in:

Hugely disruptive ransomware attacks can be thwarted by distributed lateral security embedded at the private cloud level, using macro- and micro-segmentation and integrated threat detection and prevention.

Ransomware attacks in 2025 have caused business operations to close for weeks and months resulting in massive financial losses in organizations across the globe in sectors such as retail, manufacturing or healthcare. 

These major breaches go well beyond the purview of the security team alone. They demand boardroom attention and a fundamental rethinking of enterprise defense strategies.

Much of the urgency stems from how AI has rapidly transformed the threat landscape. AI-powered autonomous attacks now probe enterprise networks with minimal human intervention, discovering thousands of potential entry points where human attackers might find only a handful. 

The automated nature of these attacks means they’re finding far more vulnerabilities much faster. What happens after infiltration hasn’t changed — lateral movement, hunting for high-value assets, and initiating the ransom process. But AI makes the need for proper security hygiene even more pronounced.

The automated nature of AI-driven attacks means the enterprise needs to take a different approach to security. Traditional perimeter-based security assumes a fortress model, with strong walls that protect sensitive internal assets from external threats. But modern enterprises deploy distributed workloads, containers, and dynamic infrastructure that renders static perimeter defenses obsolete. Once attackers breach the perimeter, they can move laterally (freely) through flat (unsegmented) networks like burglars in an empty mansion.

Breaking the ransomware kill chain

Breaking the ransomware kill chain requires distributed security controls at multiple stages. During initial infiltration, intrusion prevention capabilities must operate wherever vulnerabilities exist, such as across private clouds, virtual desktop environments, and application layers. This distributed approach is critical because a single Java or Linux vulnerability might expose dozens of applications simultaneously across hundreds of servers.

Macro- and micro-segmentation is the crucial second line of defense. By creating virtual barriers at the workload and hypervisor level, organizations prevent lateral movement even after initial compromise. Rather than allowing attackers to roam freely once inside, macro- and micro-segmentation contains any threats, limiting damage and buying security teams critical response time.

However, implementation requires discipline. Organizations often mistake micro-segmentation’s ultimate goal for the first step, attempting to jump directly to granular application-level controls. The more effective path progresses systematically, guided by in-built deployment tooling in the firewall itself: assess the environment, segment shared infrastructure services, establish zone-based protections, then evolve toward application-level microsegmentation.

Network detection and response (NDR) provides the third critical capability. As attackers leave behavioral signatures while moving laterally, AI-powered integrated threat defense can correlate these indicators across the environment, identifying malicious activity before data exfiltration and encryption begin. Locking down protocols like Remote Desktop Protocol becomes essential.

The operational reality, however, is that security tool sprawl undermines even sophisticated strategies. Multiple disconnected solutions create deployment delays, policy management nightmares, and incomplete coverage across the attack chain. Organizations purchase numerous tools but deploy only a fraction and across a subset of applications, leaving dangerous gaps.

The solution lies in integrated, software-defined security that deploys at the data center private cloud level, where applications and data reside. VMware vDefend exemplifies this approach: a unified stack that provides distributed firewall capabilities for macro- and micro-segmentation with automated deployment workflows, as well as advanced threat detection and prevention that automatically extends as environments scale. By embedding security into the virtualization and Kubernetes layer with policy mobility and dynamic workload protection, organizations gain comprehensive visibility without IP address complexity or deployment delays.

Modern ransomware demands modern defenses. Not more disparate tools, but smarter architecture that breaks the kill chain before attacks succeed.

To learn more about how VMware vDefend can help your security approach meet AI-powered threats, visit here.

The post Breaking the Ransomware Kill Chain: Why Distributed Lateral Security Is No Longer Optional appeared first on VMware Security Blog.

As the digital landscape enters the age of Artificial Intelligence, the traditional methods of securing applications are being fundamentally challenged. The emergence of advanced AI models has shifted the advantage towards attackers. With AI, even a novice attacker is now weaponized into a sophisticated hacker while operating semi-autonomously at very low cost, and unprecedented scale. Imagine the massive damage that ransomware gangs and/or nation-state actors could do with these cyber weapons.  In recent times, ransomware attacks have led to business operations going offline for weeks and months, resulting in financial losses in hundreds of millions of dollars. To maintain a cyber resilient posture, organizations must move beyond reactive security and embrace a proactive defense-in-depth strategy centered on lateral security and virtual patching.

AI-discovered Tsunami of Exploits

Frontier AI models have the intelligence to identify unknown (zero day) software vulnerabilities (bugs) and find ways to exploit them faster than ever before. Attackers can leverage these exploits to infiltrate digital enterprises, propagate laterally, hopping and hunting, to find high value assets for ransom or for stealing secrets. They can initiate widespread, volumetric and/or targeted attacks semi-autonomously – leading to an exponential increase in the attack surface. “Security through obscurity” is no longer a viable cyber security strategy.

If enterprises can quickly patch software vulnerabilities, they can certainly reduce the risk of a breach and/or its spread. However, this is an extremely time consuming and resource intensive endeavor. There are thousands of software tools and apps, each with varied software versions, deployed on different types of hardware and operating systems and spread across multiple data centers. In larger organizations, “race to patch” can take weeks to months to roll out patches enterprise wide, leaving the organization exposed to infiltration, ransom and potentially business disruption.

To help quickly protect against this tsunami of exploits unleashed against workloads & apps and to buy down risk, enterprises need to focus on two key defenses for their private cloud workloads:

• Enable virtual patching using intrusion prevention systems and web application firewall
• Restrict propagation of attacks with lateral segmentation

What is Virtual Patching?

Virtual patching is a vulnerability-shielding tactic that protects assets by implementing a minimal layer of security policies at the network or application delivery level, front ending that asset. These measures intercept and block exploit attempts before they can reach the vulnerable software, effectively “patching” the flaw in the communication path rather than the software itself. 

Key Benefits of Virtual Patching

• Application availability: Ensures that applications/assets are available while the risks are mitigated
• No code changes: It protects applications without requiring deployment of updated software/patches. Software patches can introduce regressions: this approach eliminates that risk
• Targeted signatures: Reduces the risk of false positives and performance impact
• Zero-Day Protection: Provides a rapid response to vulnerabilities for which no official patch yet exists.
• Legacy Support: Shields older, unsupported systems that are still critical to business operations. Patches may not even exist for legacy applications
• Buys Time: Grants security teams the necessary cycles to test and deploy permanent vendor patches without remaining exposed
• Helps with Compliance: Many regulations such as PCI-DSS and HIPAA, require timely deployment of security controls to remain compliant

vDefend Distributed IDPS: Hypervisor-embedded Virtual Patching 

VMware vDefend provides a revolutionary approach to virtual patching of workloads by integrating security directly into the VMware Cloud Foundation (VCF) hypervisor fabric. The vDefend IDPS (Intrusion Detection and Prevention System) is applied directly to the vNIC of every workload, enabling deep, granular inspection of application traffic (every packet) moving across the VCF private cloud, specifically targeting network-layer exploits and lateral movements.

How vDefend IDPS Enables Virtual Patching

• Hypervisor-Integrated Inspection: vDefend’s Distributed IDPS inspects network traffic at the vNIC of every VCF workload. This ensures unpatched servers cannot be exploited by attacks originating from the outside or from inside the network. 
• Automated dynamic policies: Run a vulnerability scan to identify workloads, apply appropriate tags and create a virtual patching policy with a limited set of IDPS signatures. As new vulnerable workloads are identified and tagged, the policies are applied automatically and vulnerable workloads get immediate protection.
• East-West Security: IDPS prevents attackers from exploiting vulnerabilities to move laterally within the environment (and eventually compromising high-value assets).

Examples of Vulnerabilities Protection

• Moveit Transfer Auth Bypass (CVE-2024-5806): This flaw in the SFTP module of Moveit Transfer allowed attackers to bypass authentication and steal files without a password. vDefend can detect the “insufficient validation” logic patterns during the initial connection phase and stop the attack in it’s tracks. 

• Ni8mare (CVE-2026-21858): This unauthenticated RCE flaw in the n8n automation platform allows attackers to achieve full system takeover via “Content-Type confusion.” vDefend identifies these malformed JSON payloads and malicious header mismatches, blocking the exploit before an attacker can hijack internal workflows to move laterally through the data center.

• Log4Shell (CVE-2021-44228): vDefend IDPS can detect and prevent against attempts at exploiting the Log4shell vulnerability. This exploit, residing in the Java Naming and Directory Interface (JNDI), can download malicious scripts and perform remote code execution, allowing full control of the targeted system. (Demo: Protecting against Log4Shell with VMware vDefend ATP)

The vDefend Advantage: What makes vDefend IDPS powerful for this use case is its architectural advantage, signature strategy, and operational simplicity. 

• Speed matters in the era of AI-driven threats. vDefend’s built-in closed-loop security architecture — through integration with the VCF private cloud platform — delivers detection as well as rapid mitigation, thus dramatically reducing attacker dwell time. 
• vDefend IDPS supports IDPS signatures that are frequently updated (multiple times a day), ensuring protection against the latest global threats. Broadcom has a threat intelligence team that actively analyzes new exploits, creates signatures, and updates the signature bundles (see IDPS signature portal)
• Furthermore, IDPS supports custom IDPS signatures: customers can import trusted signatures from third-parties or develop in-house to virtually patch their applications. This provides a truly bespoke security posture.

vDefend Distributed Firewall: Restrict Unauthorized Lateral Propagation

To further restrict lateral propagation of threats, vDefend also provides a high-performance hypervisor-embedded Layer-7 Distributed Firewall (DFW). It allows comprehensive lateral segmentation of VCF workloads through highly streamlined context (or tag) based security policies. Lateral segmentation includes both macro and micro-segmentation, applied to ensure trusted (least-privileged) access to infrastructure services, environments (or zones), and applications. DFW is fully scale-out, eliminates traffic tromboning and the need for network changes (unlike traditional firewalls), and preserves the segmentation posture during vMotion events. It also includes a built-in prescriptive deployment tool, DFW 1-2-3-4 (blog), enabling rapid self-deployment across all workloads in as little as a few weeks.

Avi Web Application Firewall: Virtual Patching for Web Applications

While vDefend secures the internal network, the Avi Web Application Firewall (WAF) acts as the first line of defense for web-facing applications, providing virtual patching at the web layer.

How Avi WAF Prevents Exploitation

• Edge Defense: Avi WAF analyzes incoming north-south traffic, identifying and neutralizing OWASP Top 10 threats before they reach the application.
• Protocol-Aware Inspection: Its robust HTTP/HTML parser understands complex protocol features, ensuring that even obfuscated exploit attempts are caught within the application payload.

Examples of Vulnerabilities Protection

• SQL Injection (SQLi): Avi WAF virtually patches vulnerable databases by stripping malicious SQL commands from web entry fields. An example is CVE-2025-31044 in the Premium SEO Pack plugin of WordPress. Avi uses a pipeline-based security model to provide protection against SQLi at different stages of the incoming traffic.
• Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) : Avi WAF’s built-in CSRF (Cross-Site Request Forgery Protection) prevents attackers from injecting client-side scripts into web pages by sanitizing incoming requests. For example, Avi protects against the MCP inspector tool vulnerability (CVE-2025-49596) that exposes a new class of browser-based attacks against AI developer tools. 
• React2shell (CVE-2025-55182): Avi WAF blocks Remote Code Execution (RCE) attempts like Command Injection, Application Language Specific attacks, and also blocks attempts to include remote files (RFI) or local system files (LFI) that could lead to attackers to execute arbitrary commands on application server.

Avi WAF for Vulnerability Scanner to further Virtual Patching: Avi WAF provides an inbuilt SDK that can import Dynamic Application Security Testing (DAST) scanner results to construct the customized WAF policy to protect the application from security threats found by the scanner. Avi WAF supports Qualys Web App Scanning and OWASP ZAP Attack Proxy DAST scanner results.

The Avi Advantage:  Key differentiators for Avi WAF are its software-defined architecture, scale-out and full access to the Avi customer base.

• Unlike alternative WAF solutions that require a separate, expensive license, Avi WAF is available to all Avi customers as part of the Avi license. Essentially every Avi Load Balancer customer also has the built-in capability to secure their web applications by default. 
• Avi is also fully integrated with VCF, thus delivering plug-and-play operational experience and self-service load balancing and WAF – for both VM and Kubernetes (VMware Kubernetes Service – VKS) workloads.

Conclusion

In the era of AI-accelerated threat landscape, the “race to patch” has reached a breaking point. Organizations can no longer rely solely on eventual roll-out of code updates to stay secure. By leveraging vDefend Distributed IDPS for lateral virtual patching, vDefend DFW for lateral segmentation and Avi WAF for web application security, enterprises can implement a comprehensive private cloud cyber defense strategy. This multi-layered approach provides an immediate and comprehensive defense that blocks hackers from exploiting vulnerabilities, buying the IT team the critical time needed to maintain long-term application integrity.

The post Virtual Patching: Guarding Against a Tsunami of AI-discovered Exploits with vDefend and Avi appeared first on VMware Security Blog.

In a cloud-native environment, Kubernetes-based containerized orchestration has brought developer agility – but it has also fundamentally changed the security paradigm. Traditional “castle-and-moat” security designs that rely on a perimeter firewall are no longer enough to protect modern workloads. Once an attacker breaches that outer shell, the flat network architecture common in many Kubernetes environments allows them to move laterally with ease, potentially compromising many applications in their hunt for high-value assets to ransom. The cyber landscape is further exacerbated by recent cyberattacks that have halted business operations for weeks and months, causing massive financial losses (hundreds of millions of dollars or more) and the emergence of AI-driven autonomous attacks.

Bridging this lateral security gap with VMware vDefend is crucial for organizations leveraging vSphere Kubernetes Service (VKS) within VMware Cloud Foundation (VCF). The fact that vDefend is fully integrated with VKS and completely plug-and-play with VCF makes a comprehensive rollout of Zero Trust lateral protection across all VKS clusters operationally simple and fast. Businesses can finally implement a true Zero Trust security model consistently across Virtual Machines and Containers – the same policy model, the same management console and APIs, the same troubleshooting tools. The powerful combination of vDefend with VKS Clusters decouples security policy from static, ephemeral IP addresses and instead uses workload-based identity to enforce granular protection.

In a typical Kubernetes cluster, network identity is fleeting. Containers are designed to be short-lived; when a pod is terminated, and a new one is created, a completely different IP address is assigned. This “ephemeral” nature makes traditional IP-based firewall rules obsolete almost instantly, leading to administrative overhead or, worse, massive security holes.

The integration of VMware vDefend and vSphere Kubernetes Service (VKS) solves this by decoupling security from the networking layer. Instead of relying on static IPs, vDefend uses Antrea CNI, the default CNI with VKS, to enforce context-aware policies based on logical metadata – such as labels applied to namespaces, services, and pods. Because the security policy is tied to the workload’s identity rather than its IP address, the protection follows the Pod automatically, even as it scales or is recreated on a different node. Furthermore, this enforcement occurs at the immediate point of origin—the Pod interface for containerized workloads and the vNIC for Virtual Machines within the Hypervisor. This ensures that security is applied at the ‘first hop,’ neutralizing threats before they ever traverse the physical or virtual network. 

Unified Management: One Policy to Rule Them All

Operational silos, where separate security stacks have to be implemented for virtual machines and Kubernetes clusters, are a major hurdle in modern infrastructure, often leading to inconsistent protection and blind spots. vDefend addresses this by providing a unified security management solution for VMs and Kubernetes (VKS) workloads through a single pane of glass within VCF. This enables security administrators to define a global security posture that is consistently applied across the entire Supervisor cluster and all guest VKS clusters, without treating the VKS clusters as opaque entities.

Bridging the Gap: Securing the “In-Between”

The most critical vulnerability in modern architecture often lies at the intersection of different workload types. A typical application might host its frontend in a containerized VKS pod while keeping its mission-critical database on a traditional virtual machine. Traditionally, these two worlds lived in separate security boundaries, making inter-workload traffic difficult to monitor and secure. VMware vDefend bridges this critical gap. Because it is natively integrated into the ESXi hypervisor, vDefend can inspect traffic closest to the source, as it moves between a container and a VM – even if they are on the same host. This cross-workload security ensures that the “mixed-mode” applications are protected by a continuous zero-trust boundary, stopping lateral movements regardless of whether the threat is hopping from a pod to a VM or vice versa.

Control for Security Admins and Freedom for App Developers

In modern enterprises with Kubernetes workloads, security often becomes a shared responsibility between centralized security teams and application owners. While security teams typically define the organization’s overarching security model, application owners frequently control the security policies for their specific applications. While this ops model offers flexibility, it could create security gaps. vDefend addresses this by enabling security administrators and application owners to co-own container security policies through a central management view. Security administrators can control cluster-level firewall policies (ingress and egress traffic for a VKS cluster) to focus on environmental and infrastructure security. By utilizing vDefend’s distinct firewall categories, they can ensure these essential policies are always enforced first. Meanwhile, application owners retain complete autonomy to define application-tier Kubernetes networkPolicies without requiring explicit approval from security administrators. This collaborative approach ensures comprehensive protection across the board.

To truly understand the power of a unified security stack, it helps to look at how it handles real-world threats. By applying vDefend to VKS, administrators can move beyond broad “allow-all” rules and implement surgical precision in the security posture.

• Quarantining a Compromised Workload

One of the most important scenarios for a DevSecOps team is a “malicious-pod” – a container that has been compromised and is now attempting to scan the network for vulnerabilities and exfiltrate data. In a standard Kubernetes setup, this pod might have a “flat” path to every other service in the cluster. With vDefend firewall policies, you can execute a “Quarantine” strategy. By applying specific tags (e.g., quarantine = malicious) to the suspected pod, a high-precedence Emergency Category policy is instantly triggered. This policy overrides all other existing rules, immediately dropping all inbound and outbound traffic to the pod except for a secured connection to a “forensic pod” or a “jump host” for investigation. This drastically reduces the blast radius of the breach, stopping lateral movement before it starts.

• Hardening External Egress Traffic

In a Zero Trust environment, what goes out of your VKS cluster is just as important as what comes in. Many modern attacks, such as the Log4Shell exploit, rely on compromised workloads contacting malicious command-and-control systems. Protecting egress traffic in VKS is uniquely challenging because IPs are typically lost behind a generic Source Network Address Translation (SNAT) at the node. The solution is to leverage Antrea Egress to provide a stable, predictable identity for outbound traffic. By associating specific pods with an Egress IP, you can create granular vDefend firewall rules that allow only a specific production application to talk to an external database while blocking the rest of the cluster. This ensures that even if a workload is compromised, it cannot reach unauthorized external endpoints.

Future-Proofing with VCF and vDefend

By deeply integrating vDefend with VKS, the platform eliminates the traditional trade-off between developer agility and enterprise security.

Key Benefits for VCF Customers:

• Zero-Trust by Default: Organizations can now enforce a granular, Zero Trust model that covers the entire stack – from legacy virtual machines to ephemeral Kubernetes pods. This intrinsic security model stops ransomware and other sophisticated threats from moving laterally across your environment.
• Operational Simplicity: VCF and vDefend introduce a “single pane of glass” for policy management. Instead of juggling fragmented tools for container and VM security, administrators use a unified operational model that reduces the learning curve and eliminates manual configuration drift.
• Accelerated Time-to-Market: With self-service capabilities and automated policy orchestration, developers can spin up secured applications in minutes rather than months. Security is applied as soon as a workload is provisioned – security at the speed of apps, ensuring compliance from the very first packet without requiring tickets to multiple infrastructure teams.
• Deep Insights and Troubleshooting: The vDefend integration with VCF and VKS provides unparalleled insights into VM and container traffic flows. Features like Antrea Traceflow allow teams to synthetic-test their network paths, ensuring that every firewall rule functions as intended before an issue escalates.

Making VKS clusters vDefend Ready – video demo

Safeguarding your containerized workloads on VKS with vDefend shouldn’t be a complex hurdle. This video demonstrates just how simple it is to make the VKS cluster vDefend ready. By following the streamlined process, you can make your clusters vDefend-ready in minutes, unlocking powerful macro and microsegmentation capabilities. Whether you are managing existing deployments or spinning up new environments, this tutorial shows how remarkably easy it is to have your VKS cluster ready for vDefend.

Core insights from the video:

• Seamless Integration: Learn how the registration process acts as the “handshake” between your VKS cluster and vDefend
• Operational Simplicity: See firsthand that making a VKS cluster vDefend ready doesn’t require complex coding; it’s a straightforward workflow within the management console
• Automated Discovery: Discover how VKS namespaces, pods, and services are automatically recognized, enabling set-and-forget policies that scale as your cluster grows

Securing Modern Applications with VMware vDefend – video demo

Here is a video walkthrough of the simple steps for protecting modern applications deployed across a virtual machine environment and a VKS cluster. It showcases how robust security policies can be implemented in vDefend to prevent lateral movement between services in VKS clusters and also easily block unauthorized access to external systems from the VKS cluster.

Core insights from the video:

• Simplified Management: See how a single pane of glass with VKS and vDefend allows administrators to quickly and efficiently manage policies for both containerized workloads and virtual machine workloads
• Unified Security Policy: Understand how registering a VKS cluster allows you to apply consistent firewall rules across both traditional virtual machines and modern containerized workloads
• Egress Security: As mentioned above, Antrea Egress provides a stable, predictable identity for outbound traffic. This can be used to create granular vDefend firewall rules to allow only a specific service to communicate with an external database

vDefend is Key to a Secure and Agile Private Cloud

By adopting the models described above, VCF operators who deploy vDefend are building resilient, scalable, and automated security foundations. As applications continue to evolve into complex webs of containers and VMs, having a unified security layer is no longer just a “best practice” – it is the key to maintaining a secure and agile private cloud.

Further Reading:

Check out the detailed Securing vSphere Supervisor and VKS with vDefend reference design, which serves as both an architectural blueprint and a practical implementation handbook for using VMware vDefend security solutions. It offers essential design insights and security recommendations to enhance the protection of vSphere Supervisor and the mixed-form-factor workloads running on it: Virtual Machines, vSphere Pods, and VKS.

The post VMware vDefend: Zero Trust Lateral Security for Kubernetes Workloads on VCF appeared first on VMware Security Blog.

In September 2025, the cybercriminal group Storm-1175 exploited a zero-day vulnerability in GoAnywhere Managed File Transfer to deploy Medusa ransomware across multiple organizations. The attack succeeded despite perimeter defenses because no signature existed to detect it, and by the time one did, attackers had already established persistence and were moving freely through victim networks.

This incident illustrates a fundamental truth: perimeter firewalls alone cannot protect modern enterprises. Organizations must adopt a defense-in-depth strategy that provides visibility across every phase of an attack.

The Anatomy of a Zero-Day Attack

What Is a Zero-Day?

A zero-day vulnerability is a security flaw unknown to the vendor and the security community. Because no one knows it exists, no signature can detect its exploitation. These vulnerabilities are prized by threat actors precisely because they bypass traditional perimeter defenses.

According to CISA guidance, the most dangerous vulnerabilities, particularly those affecting widely-deployed shared services, are often kept secret by threat actors for extended periods. They remain “zero-day” until discovered by researchers or defenders, sometimes only after significant damage has occurred.

The GoAnywhere MFT Incident

On September 11, 2025, Microsoft Threat Intelligence observed Storm-1175 exploiting CVE-2025-10035, a critical deserialization vulnerability in GoAnywhere MFT’s License Servlet with a CVSS score of 10.0.

The timeline reveals the problem:

• September 11, 2025: Storm-1175 begins exploiting the vulnerability
• September 18, 2025: Fortra publishes security advisory
• September 18+, 2025: IDS signatures become available

For seven days, every organization running GoAnywhere MFT was vulnerable. No perimeter firewall could help, as there was nothing to detect.

Why Perimeter Defenses Failed

The Signature Problem

Perimeter firewalls rely on Intrusion Detection System (IDS) signatures to identify malicious traffic. These signatures are pattern-matching rules created by security researchers after a vulnerability becomes known.

This model has an unavoidable weakness: signatures are reactive. They cannot detect attacks using unknown vulnerabilities. When Storm-1175 exploited GoAnywhere MFT on September 11, there was no signature because no one outside the attacker group knew about the vulnerability.

Signatures Cannot Undo a Breach

Newly released detection signatures address future exploitation attempts; they do not remediate existing intrusions.

This limitation proved critical in the Storm-1175 intrusion. Microsoft’s analysis indicates that the threat actors established persistence mechanisms immediately following initial access, deploying:

• SimpleHelp and MeshAgent (legitimate remote monitoring tools)
• .jsp web shell files within the GoAnywhere MFT directories

Once these backdoors were in place, the attackers no longer needed the vulnerability. A signature detecting CVE-2025-10035 exploitation would catch future attacks, but the attackers were already inside, communicating through legitimate-looking channels.

Inside the Attack: What Happened After Initial Access

The Storm-1175 intrusion demonstrates how attackers operate once past the perimeter. Each phase was designed to evade detection by traditional security tools.

Phase 1: Persistence

The attackers dropped remote monitoring and management (RMM) tools directly under the GoAnywhere MFT process. SimpleHelp and MeshAgent are legitimate software used by IT departments worldwide. To a perimeter firewall, or even many endpoint tools, this looks like normal administrative activity.

Web shells (.jsp files) provided an additional backdoor, giving attackers persistent access to the compromised server even if the RMM tools were discovered.

Phase 2: Discovery

With persistence established, Storm-1175 began mapping the victim environment:

• User and system discovery commands identified accounts and system configurations
• Netscan deployment revealed the internal network topology

This reconnaissance happened entirely within the network perimeter. No external traffic to analyze. No signatures to trigger.

Phase 3: Command and Control

The attackers established a command-and-control infrastructure using two techniques specifically chosen to evade detection:

• RMM tools: SimpleHelp and MeshAgent traffic looks identical to legitimate IT administration
• Cloudflare tunnel: C2 communications were encrypted and routed through Cloudflare’s trusted content-delivery network

A perimeter firewall sees encrypted traffic to a reputable CDN provider. There is nothing inherently malicious about this pattern; hundreds of legitimate applications use Cloudflare daily.

Phase 4: Lateral Movement

This is where the attack becomes entirely invisible to perimeter defenses.

Storm-1175 used mstsc.exe, the built-in Windows Remote Desktop client, to move across systems within the compromised network. This east-west traffic never touches the perimeter. The firewall has no visibility into:

• A Confluence server connecting to the backup server via RDP
• That same server pivoting to the file server
• Subsequent connections to the domain controller and exchange server

The attackers moved freely through the network using a legitimate Windows tool over legitimate protocols.

Phase 5: Exfiltration

Before deploying ransomware, Storm-1175 exfiltrated data using Rclone, a command-line tool designed for syncing files to cloud storage. Rclone supports dozens of cloud providers and encrypts data in transit.

To a perimeter firewall, this looks like an employee backing up files to cloud storage, a routine, sanctioned activity in most organizations.

Phase 6: Ransomware Deployment

The attack culminated with the deployment of the Medusa ransomware across victim environments. By this point, the attackers had:

• Maintained access for days or weeks
• Mapped the entire network
• Compromised critical systems, including domain controllers
• Exfiltrated valuable data for double extortion

The ransomware deployment was the final, visible symptom of an infection that had spread silently through the organization.

The Need for Defense-in-Depth

The GoAnywhere MFT incident proves that perimeter-centric security creates a brittle defense. Once breached, whether through a zero-day vulnerability, stolen credentials, or a social engineering attack, threat actors operate with impunity if internal visibility is lacking.

Defense-in-depth addresses this by providing multiple detection opportunities across the attack lifecycle:

Lateral Movement: The Critical Detection Point

Of all post-exploitation activities, lateral movement represents the most reliable detection opportunity. Here’s why:

1. It must happen: Attackers rarely achieve their objectives from a single compromised host. They need to reach domain controllers, file servers, and backup systems.
2. It creates observable patterns: Even when using legitimate tools like RDP, lateral movement generates anomalous traffic patterns. A web server initiating RDP connections to a backup server is unusual.
3. It happens inside the network: Unlike C2 traffic, which can be tunneled through CDNs or encrypted channels, lateral movement occurs on the internal network, where organizations have full visibility.

The following is a breakdown of how each technology can help detect and prevent lateral movement attempts.

Distributed Firewall (DFW)

The VMware Distributed Firewall (DFW) can block lateral movement entirely by enforcing microsegmentation policies at the workload level. With DFW, even if an attacker compromises an application server, they cannot establish RDP, SMB, or other connections to systems outside their authorized communication scope. In the scenarios illustrated in Figures 2 and 3, a properly configured DFW policy would have blocked both the RDP connections, stopping the attack chain before lateral movement could occur.

Distributed IDPS

While NTA/NDR focuses on behavioral anomalies, a Distributed IDPS provides signature-based detection at every workload. Unlike traditional perimeter IDPS that only inspects north-south traffic, a distributed architecture applies intrusion detection to east-west traffic as well.

During lateral movement, attackers frequently use protocols and techniques with known signatures, such as exploitation of remote services, pass-the-hash attacks, or specific tool fingerprints. A Distributed IDPS can identify these patterns regardless of where they occur in the network.

Network Traffic Analysis / Network Detection and Response (NTA/NDR)

NTA/NDR solutions monitor east-west traffic precisely for lateral movement patterns. They establish behavioral baselines and identify anomalies that signature-based tools cannot detect. Key detection capabilities include:

• Unusual authentication patterns between systems (lateral movement): For example, in vDefend ATP, the Intelligence component raises an alert when it detects  MS-SCMR (Microsoft Service Control Manager Remote Protocol). Figure 2 shows an example of this detection when confluence_server-59tt tries to login into the domain_controller-59tt

Lateral Movement between Confluence Server and Domain Controller

• Protocol anomalies (RDP from a server that has never initiated RDP): In vDefend ATP, the Intelligence component raises an alert when it detects an RDP connection within internal hosts. Figure 3 shows an alert raised when an RDP connection between confluence_server-59tt and backup_server-59tt was detected.

RDP connection from Confluence Server to Backup Server

• Credential abuse across multiple systems
• First-time connections between hosts

These behavioral indicators are invisible to perimeter firewalls but clearly visible to NTA/NDR solutions monitoring internal traffic flows.

The true value of NTA/NDR resides in improved triage capabilities that correlate individual events together into campaigns, enabling security teams to understand the full scope of an attack rather than investigating isolated alerts.

Sandbox Analysis

Furthermore, sandbox analysis provides visibility into attacker tooling and behavior. The ability to detonate suspicious samples in an isolated environment (see Figure 4) allows defenders to understand which tools the attacker executed and dropped in the environment.

Sandbox analysis for the SimpleHelp tool used by Storm-1175 for persistence

Without this layered internal visibility and enforcement capability, attackers like Storm-1175 move undetected from their initial foothold to complete network compromise.

Recommendations

Based on the GoAnywhere MFT incident and the broader threat landscape, organizations should:

Accept That Perimeter Breaches Will Occur

Zero-day vulnerabilities, stolen credentials, and sophisticated phishing will periodically succeed: Design your security architecture assuming the perimeter will be bypassed.

Segment Your Network

A compromised web server should never have direct RDP access to a domain controller. Implement network segmentation to restrict lateral movement opportunities and contain potential breaches. 

Where possible, deploy macro- and microsegmentation using distributed firewalls to enforce least-privilege network access between workloads. Unlike traditional network segmentation that operates at the VLAN or subnet level, microsegmentation applies granular policies at the individual workload level, blocking unauthorized east-west traffic regardless of network topology.

In the Storm-1175 intrusion, attackers moved laterally via RDP from the initial compromised host to various workloads within the network. With microsegmentation policies in place, each of these connections would have been denied and logged. 

Deploy Distributed Intrusion Detection and Prevention (DIDPS)

Unlike perimeter-based IDPS that only inspects north-south traffic, distributed IDPS operates at every workload, providing signature-based detection for lateral movement techniques such as MS-SCMR, PsExec, and exploitation attempts between internal hosts. 

Deploy distributed IDPS to detect malicious activity that occurs entirely within the network perimeter.

Implement Network Traffic Analysis / Network Detection and Response (NTA/NDR)

NTA/NDR solutions monitor east-west traffic for behavioral anomalies that signature-based detection may miss. These include RDP connections from servers that have never initiated RDP, unusual authentication patterns, beaconing behavior indicative of C2 tunnels, and anomalous data transfers suggesting exfiltration. 

Deploy NTA/NDR capabilities to identify attacker activity that leverages legitimate tools and encrypted channels.

Monitor for Legitimate Tool Abuse

Attackers increasingly use built-in operating system tools (mstsc.exe, PowerShell) and legitimate software (RMM tools, Rclone) to avoid detection. 

Configure security tools to baseline normal behavior and generate alerts when anomalies occur.

Conclusion

The Storm-1175 intrusion against GoAnywhere MFT demonstrates why defense-in-depth is not optional. A sophisticated threat actor exploited a zero-day vulnerability, established persistence using legitimate tools, communicated through trusted infrastructure, and moved laterally using built-in Windows capabilities.

At every phase after initial access, the perimeter firewall was irrelevant. The attack unfolded entirely within networks that had no visibility into their own internal traffic and lacked the controls to prevent unauthorized lateral movement.

Organizations that rely solely on perimeter defenses are not asking if they will be breached, but when, and whether they will detect or prevent the attack before ransomware encrypts their systems.

The solution is defense-in-depth: layered security controls that provide detection opportunities at every phase of the attack lifecycle. 

Distributed IDPS identifies malicious patterns at the workload level. Network Traffic Analysis detects anomalous lateral movement and command-and-control activity. The Distributed Firewall enforces microsegmentation policies that block unauthorized connections before they occur.

When the perimeter fails, internal visibility becomes the difference between a contained incident and a catastrophic breach.

To learn more about vDefend and its closed-loop security capabilities, read this blog.

The post Why Perimeter Firewall is Not Enough: Lessons from the GoAnywhere MFT Zero-Day appeared first on VMware Security Blog.

The “Invisible Corridor”

Security doesn’t break all at once; it erodes in the shadows. The alert didn’t appear to be a crisis because, to your perimeter, everything looked normal. An authorized user, a permitted port, and a standard protocol—on paper was a valid connection. In reality, it was the “keys to the kingdom” being handed over. This is the new reality of East-West traffic: the most dangerous threats aren’t trying to break in; they are already inside, moving through the invisible corridors of your network.

This is the new reality of the modern datacenter. It isn’t just about the “front door” anymore; it’s about the invisible corridors an attacker creates once they are already in. According to the Verizon 2025 Data Breach Investigations Report, ransomware was involved in 44% of all confirmed breaches last year. We have entered an era where attacks occur at machine speed; with some ransomware campaigns now completing in as little as 25 minutes, the traditional “human-in-the-loop” response is no longer fast enough. As documented in The Dawn of AI-Orchestrated Cyberattacks, when AI can autonomously execute 90% of an attack chain, defenders can no longer rely on manual triage. The consequences of this speed are devastating across every industry. From healthcare, where a single ransom payout can be dwarfed by a total operational impact exceeding $2 billion, to manufacturing, where a single breach can trigger billions in economic losses, the pattern is the same. Even iconic public institutions have been taken down for months, forced back to pen and paper. The message is clear: when attackers use AI and automation to move laterally, “good enough” security becomes an invitation for disaster.

The Gap: Why Traditional Security Fails

Traditional security models fail in the modern data center because they are architecturally blind to “East-West” traffic—the communication flowing between application workloads. To provide security, legacy models force this internal traffic out of the virtual layer and onto legacy hardware appliances, a process known as “hairpinning.” This inefficient routing creates massive network complexity by forcing convoluted VLAN management and halving link capacity, while these centralized security stacks become performance bottlenecks that introduce latency and application timeouts. Ultimately, these fragmented tool silos leave security teams with a patchwork of data, creating invisible corridors that allow attackers to move laterally and unchallenged across the private cloud.

The VMware vDefend Advantage

VMware vDefend eliminates the “blind spots” and performance penalties of traditional security by fundamentally changing the architecture of the defense. Rather than trying to pull traffic out of the virtual layer for inspection, vDefend embeds security directly into the hypervisor.

vDefend delivers integrated security by operating natively within the VCF private cloud. Every hypervisor acts as a built-in sensor, providing continuous visibility and protection where application workloads actually communicate. This architecture provides security teams with essential capabilities that external tools lack, including 360-degree visibility into both east-west and north-south traffic and consistent protection that moves dynamically with application workloads.

The Foundation: vDefend Distributed Firewall 

Before addressing advanced threats, security starts with a hardened environment. The VMware vDefend Distributed Firewall (DFW) provides the essential structural foundation for Zero Trust. By moving security directly to the workload, the DFW enables precise microsegmentation that “shrinks” the attack surface, ensuring that if one VM is compromised, the threat is isolated.

To accelerate this journey, vDefend introduces the DFW 1-2-3-4 automated workflow built into the product. It is a prescriptive journey that moves you from initial visibility and “quick wins” (like securing DNS and NTP services) to full application-level microsegmentation in just a few weeks. Learn more about the DFW 1-2-3-4 approach here.

The Power of Closed-loop Security

However, walls alone—even virtual ones—are only half the story. While DFW answers, “Is this connection allowed?”, advanced threat prevention (ATP) answers the harder question: “Is this activity malicious?”

If DFW represents the structural strength of your vault—the steel doors and locked compartments—then ATP is the behavioral intelligence monitoring everything inside. Together, they create a closed-loop security that doesn’t just block known bad actors—it senses anomalies, isolates compromised assets, and neutralizes threats in one unified, automated motion.

vDefend: Hypervisor-Embedded Security

vDefend isn’t a bolt-on appliance; it is built directly into the ESXi hypervisor to disrupt the kill chain at every stage: Initial Access, Lateral Movement, and Encryption/Exfiltration.  This approach allows us to disrupt the kill chain through four unified pillars aligned with the NIST cybersecurity framework:

1. Visibility: The All-Seeing Eye

Before you can defend, you must see. vDefend turns every hypervisor into a built-in sensor, providing ubiquitous visibility into the East-West corridor.

• Security Intelligence: Integrated directly with the DFW, Security Intelligence provides a real-time, interactive “flow-map” of your entire network. It automates application flow discovery and analyzes ingested data to provide ML-based firewall rule recommendations aligned with design best practices. This streamlines lateral security and accelerates the journey to a Zero Trust private cloud.

2. Prevention: Policy-Based Hardening

Prevention is about stopping the threat before it can take root in your environment.

• Microsegmentation (DFW Policies): The Distributed Firewall (DFW) acts as the first line of defense by enforcing a “Least Privilege” model. By dividing the network into granular, isolated segments, DFW ensures that only authorized traffic can flow between specific workloads.
• Distributed intrusion detection and prevention system (IDS/IPS): By inspecting every packet at the vNIC, we can “virtually patch” workloads. By blocking an exploit attempt for a known vulnerability at the network layer, the attack is neutralized at Stage 1.
• Malware Prevention (MPS): When an attacker attempts to download a malicious payload, MPS intervenes at the hypervisor I/O layer. We inspect the file before it is fully written to disk, preventing the infection from ever reaching the guest OS.

3. Detection: Behavioral Intelligence

When adversaries use zero-day exploits or stolen credentials, detection becomes the “behavioral brain” of your defense.

• Network Traffic Analysis (NTA): vDefend ATP monitors for the subtle “tells” of lateral movement—such as DNS Tunneling, DGA, or unusual protocol misuse. By establishing a baseline of normal network behavior, NTA identifies anomalies that signatures alone would miss.
• MPS/IDS Detection Mode: Even when active blocking is not yet enabled, running IDS and MPS in “Detect-Only” mode serves as a vital control. It provides the high-fidelity early warning needed to trigger a response before an attacker can escalate.
• Network Detection and Response (NDR): NDR acts as the centralized intelligence engine, automatically mapping detections from across the VCF network to the MITRE ATT&CK framework. It “stitches” together hundreds of isolated events into a Campaign—a single, navigable narrative that shows the entire attack chain from initial exploit to final exfiltration

4. Mitigation: Limiting the Damage

Mitigation is vDefend’s strategy for containing a breach and minimizing the “blast radius” once a threat is identified.

• Containment via Segmentation: While the firewall acts as a preventive gatekeeper, proper Microsegmentation is a powerful mitigation tool. If a VM is compromised, pre-defined segmentation rules contain the spread, preventing the attacker from reaching your “crown jewels.”
• Rapid Response Playbooks: Using the insights from NDR, a breach can be neutralized in seconds. For example, a suspicious endpoint can be automatically quarantined using security tags, instantly severing its ability to move laterally or communicate with external Command & Control (C2) servers.

This closed-loop security, from visibility, prevention, detection, to mitigation, is implemented through vDefend’s VCF integration in a unique way, as depicted in the diagram below.

vDefend: Why it Matters

In the traditional data center, security has often been a trade-off. Legacy security models force you to choose between deep protection and high performance. By embedding intelligence directly into VMware Cloud Foundation, vDefend eliminates that compromise.

• Operational Simplicity: No separate agents to manage. Security policies and firewall “states” move dynamically with your workloads.
• Reduced TCO: A software-defined, closed-loop security architecture significantly reduces CAPEX by eliminating the need for expensive hardware appliances.
• Integrated Solution: Distributed Firewall, IDS, MPS, NTA, and NDR all reside “under the same roof” within a single VCF management plane, eliminating the “swivel chair” effect between tools.
• Faster MTTD/MTTR: By correlating 1,000 noisy alerts into a single MITRE-aligned Campaign, we turn a mountain of data into an actionable story.

For more information on vDefend, watch the vDefend webinar series on demand here.

The post Advancing Zero Trust Private Cloud with vDefend Lateral Security appeared first on VMware Security Blog.