Monday , January 27 2025
VMware ESXi

New Ransomware Tactics Target VMware ESXi Via SSH Tunneling

infosecbulletin 14 hours ago International

Sygnia’s recent report highlights the changing strategies of ransomware groups targeting VMware ESXi appliances. These attackers exploit vital virtual infrastructure to disrupt operations and remain hidden in compromised networks.

ESXi appliances have become prime targets due to their role in hosting vital virtual machines. “Damaging them renders virtual machines inaccessible, severely disrupting the business operations of affected organizations,” notes Sygnia.

UnitedHealth confirms 190 million impacted by 2024 data breach

By infosecbulletin / Monday , January 27 2025
UnitedHealth confirmed that the ransomware attack on its Change Healthcare unit last February impacted about 190 million Americans, nearly double...
Read More
UnitedHealth confirms 190 million impacted by 2024 data breach

Registration Open For BCS CTF 2025

By infosecbulletin / Monday , January 27 2025
So, to test your cyber security skill, here is another chance to do that. Bangladesh computer society (BCS) is going...
Read More
Registration Open For BCS CTF 2025

New Ransomware Tactics Target VMware ESXi Via SSH Tunneling

By infosecbulletin / Sunday , January 26 2025
Sygnia's recent report highlights the changing strategies of ransomware groups targeting VMware ESXi appliances. These attackers exploit vital virtual infrastructure...
Read More
New Ransomware Tactics Target VMware ESXi Via SSH Tunneling

Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass

By infosecbulletin / Friday , January 24 2025
An exhaustive evaluation of three firewall models from Palo Alto Networks has uncovered a host of known security flaws impacting...
Read More
Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass

CISA Releases 6 ICS Advisories Detailing Security Issues

By infosecbulletin / Friday , January 24 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released 6 advisories for Industrial Control Systems (ICS), highlighting vulnerabilities in various...
Read More
CISA Releases 6 ICS Advisories Detailing Security Issues

Account Credentials for Security Vendors Found on Dark Web: Cyble Report

By infosecbulletin / Thursday , January 23 2025
# "While many leaked security credentials belong to customers, some exposed sensitive accounts suggest that security vendors too have been...
Read More
Account Credentials for Security Vendors Found on Dark Web: Cyble Report

Four Critical Ivanti CSA Vulnerabilities Exploited: CISA , FBI warns

By infosecbulletin / Thursday , January 23 2025
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory...
Read More
Four Critical Ivanti CSA Vulnerabilities Exploited: CISA , FBI warns

GitLab Releases Patch (CVE-2025-0314) for XSS Exploit

By infosecbulletin / Thursday , January 23 2025
GitLab has released update for high severity cross-site scripting (XSS) flaw. Versions 17.8.1, 17.7.3, and 17.6.4 for both Community Edition...
Read More
GitLab Releases Patch (CVE-2025-0314) for XSS Exploit

CVE-2025-20156
Cisco Fixes Meeting Management Allowing Privilege Escalation

By infosecbulletin / Thursday , January 23 2025
Cisco has released a security advisory concerning a critical privilege escalation vulnerability (CVE-2025-20156) in its Meeting Management software. With a...
Read More
CVE-2025-20156 Cisco Fixes Meeting Management Allowing Privilege Escalation

Delay patching leaves about 50,000 Fortinet firewalls to zero-day attack

By infosecbulletin / Wednesday , January 22 2025
Fortinet customers must apply the latest updates, as almost 50,000 management interfaces remain vulnerable to the latest zero-day exploit. The...
Read More
Delay patching leaves about 50,000 Fortinet firewalls to zero-day attack

Ransomware operators use ESXi devices to secretly tunnel malicious traffic within networks, often avoiding detection because of minimal monitoring.

The report highlights SSH tunneling as a tactic where attackers create a semi-persistent backdoor by using stolen admin credentials or vulnerabilities to access ESXi devices.

Threat actors use SSH to create a remote port-forwarding SOCKS tunnel, allowing them to mix malicious traffic with legitimate activity.

Sygnia explains, “Since ESXi appliances are resilient and rarely shutdown unexpectedly, this tunneling serves as a semi-persistent backdoor within the network.”

This method lets attackers avoid security measures and keep access for a long time.

ESXi’s logging structure complicates forensic investigations. Unlike traditional syslogs, ESXi organizes logs by activity, spreading critical events across multiple files, such as /var/log/shell.log, /var/log/auth.log, and /var/log/hostd.log. Sygnia emphasizes, “Configuring syslog forwarding from the ESXi server to an external syslog server can solve the issue.”

The report shows how Abyss Locker ransomware exploits ESXi appliances. Attackers exploited ESXi devices and NAS for network access, highlighting the importance of strong monitoring and defense strategies.

Check Also

Cybersecurity

$12.9 B Cybersecurity Boom Awaits India for 2030

India has made strides in cybersecurity by clarifying ministerial roles in September 2024 and implementing …

Leave a Reply

Your email address will not be published. Required fields are marked *

Mail: [email protected]
© Copyright 2025, All Rights Reserved InfoSecBulletin