- Researchers find hackers using VMware ESXi’s SSH tunneling in attacks
- The campaigns end up with ransomware infections
- The researchers suggested ways to hunt for indicators of compromise
Cybercriminals are using SSH tunneling functionality on ESXi bare metal hypervisors for stealthy persistence, to help them deploy ransomware on target endpoints, experts have warned.
Cybersecurity researchers from Sygnia have highlighted how ransomware actors are targeting virtualized infrastructure, particularly VMware ESXi appliances, enterprise-grade, bare-metal hypervisors used to virtualize hardware, enabling multiple virtual machines to run on a single physical server.
They are designed to maximize resource utilization, simplify server management, and improve scalability by abstracting the underlying hardware. As such, they are considered essential in data centers, cloud infrastructures, and virtualization solutions, and offer a tunneling feature, allowing users to securely forward network traffic between a local machine and the ESXi host over an encrypted SSH connection. This method is commonly used to access services or management interfaces on the ESXi host that are otherwise inaccessible due to network restrictions or firewalls.
Attacking in silence
The researchers say ESXi appliances are relatively neglected from a cybersecurity standpoint, and as such have been a popular target for threat actors seeking to compromise corporate infrastructure. Since they’re not that diligently monitored, hackers can use it stealthily.
To break into the appliance, crooks would either abuse known vulnerabilities, or log in using compromised admin passwords.
“Once on the device, setting up the tunneling is a simple task using the native SSH functionality or by deploying other common tooling with similar capabilities,” the researchers said.
“Since ESXi appliances are resilient and rarely shutdown unexpectedly, this tunneling serves as a semi-persistent backdoor within the network.”
To make matters worse, logs (the cornerstone of every security monitoring effort) are not as easy to track, as with other systems. According to Sygnia, ESXi distributes logs across multiple dedicated files, which means IT pros and forensic analysts need to combine information from different sources.
That being said, the researchers said IT pros should look into four specific log files to detect possible SSH tunneling activity.
Via BleepingComputer