2025-01-31 07:17:03 Pacfic
ESXi Ransomware Attacks Utilize SSH Tunneling - 3d
Ransomware gangs are increasingly using SSH tunneling to maintain stealthy access when targeting VMware ESXi hypervisors. This technique allows attackers to remain undetected while they move laterally within the system and deploy ransomware. Cyber security firm Sygnia's investigation has revealed that after infiltrating ESXi instances by exploiting known vulnerabilities or using stolen administrator credentials, the attackers utilize the built-in SSH service to establish covert pathways for ransomware delivery. The use of SSH tunnels, often configured with remote port-forwarding to the attacker's command-and-control server, creates a semi-persistent backdoor due to the resilience and infrequent shutdowns of ESXi appliances.
This persistent access poses a serious threat to virtualized environments as ransomware can cripple an entire business by encrypting vital virtual machines. Researchers recommend that administrators monitor specific log files, including those tracking ESXi Shell command execution, user authentication, and login attempts to identify potential SSH-based intrusions. They also suggest keeping a close watch on the hostd.log and vodb.log files as key sources of information to detect potential SSH access persistence. This is critical in an effort to detect and mitigate these sophisticated attacks.
ImgSrc: files.cyberriskalliance.com
References:
- @BleepingComputer - Ransomware actors targeting ESXi bare metal hypervisors are leveraging SSH tunneling to persist on the system while remaining undetected. - 3d
- Security Affairs - Threat actors behind ESXi ransomware attacks target virtualized environments using SSH tunneling to avoid detection. - 3d
- SCM feed for Threat Management - Covert VMware ESXI-targeted ransomware hack facilitated by SSH tunneling - 3d
- www.bleepingcomputer.com - Ransomware gang uses SSH tunnels for stealthy VMware ESXi access - 3d
- ciso2ciso.com - ESXi ransomware attacks use SSH tunnels to avoid detection – Source: securityaffairs.com - 3d
- www.sygnia.co - Sygnia’s Zhongyuan Hau (Aaron) & Ren Jie Yow show how ransomware threat actors use SSH tunneling between their C2 servers and the compromised environment for persistence. - 3d
- @jos1264 - ESXi ransomware attacks use SSH tunnels to avoid detection – Source: securityaffairs.com - 3d
- @VirusBulletin - Sygnia’s Zhongyuan Hau (Aaron) & Ren Jie Yow show how ransomware threat actors use SSH tunneling between their C2 servers and the compromised environment for persistence. - 3d
- CISO2CISO.COM & CYBER SECURITY GROUP - Ransomware Targets ESXi Systems via Stealthy SSH Tunnels for C2 Operations – Source:thehackernews.com - 2d
Classification:
- HashTags: ESXi Ransomware SSHTunneling
- Company: VMware
- Target: VMware ESXi Users
- Attacker: Ransomware Groups
- Product: ESXi
- Feature: SSH Tunneling
- Type: Ransomware
- Severity: Major