
Cybersecurity researchers have uncovered a concerning trend where ransomware operators are exploiting VMware ESXi bare metal hypervisors through SSH tunneling, enabling stealthy system persistence. This attack vector is particularly dangerous as ESXi systems, which manage multiple virtual machines on a single physical server, are often inadequately monitored.
Attack Methodology:
– Attackers gain initial access through known vulnerabilities or stolen admin credentials
– SSH tunneling is established using built-in functionality
– Remote port-forwarding enables command and control (C2) communication
– Attackers maintain persistence due to ESXi’s continuous uptime
Critical Logging Challenges:
ESXi’s distributed logging system creates monitoring difficulties, with key logs spread across multiple files:
– /var/log/shell.log (command execution)
– /var/log/hostd.log (administrative activities)
– /var/log/auth.log (authentication events)
– /var/log/vobd.log (system security events)
Attackers frequently employ anti-forensic techniques, including:
– Log clearing
– Timestamp manipulation
– Log truncation
Security Recommendations:
– Implement centralized log management
– Deploy SIEM integration
– Monitor SSH activity
– Regular security audits
– Maintain firewall rule oversight
This emerging threat highlights the critical need for enhanced monitoring of virtualized environments, particularly focusing on SSH activity and log management in ESXi systems.