InfoSecBulletin Cybersecurity for mankind
Sygnia’s recent report highlights the changing strategies of ransomware groups targeting VMware ESXi appliances. These attackers exploit vital virtual infrastructure to disrupt operations and remain hidden in compromised networks.
ESXi appliances have become prime targets due to their role in hosting vital virtual machines. “Damaging them renders virtual machines inaccessible, severely disrupting the business operations of affected organizations,” notes Sygnia.
Check Point said BreachForum post old data
Apple Warns of 3 Zero Day Vulns Actively Exploited
24,000 unique IP attempted to access Palo Alto GlobalProtect portals
CVE-2025-1268
Patch urgently! Canon Fixes Critical Printer Driver Flaw
Within Minute, RamiGPT To Escalate Privilege Gaining Root Access
Australian fintech database exposed in 27000 records
Over 200 Million Info Leaked Online Allegedly Belonging to X
FBI investigating cyberattack at Oracle, Bloomberg News reports
OpenAI Offering $100K Bounties for Critical Vulns
Splunk Alert User RCE and Data Leak Vulns
Ransomware operators use ESXi devices to secretly tunnel malicious traffic within networks, often avoiding detection because of minimal monitoring.
The report highlights SSH tunneling as a tactic where attackers create a semi-persistent backdoor by using stolen admin credentials or vulnerabilities to access ESXi devices.
Threat actors use SSH to create a remote port-forwarding SOCKS tunnel, allowing them to mix malicious traffic with legitimate activity.
Sygnia explains, “Since ESXi appliances are resilient and rarely shutdown unexpectedly, this tunneling serves as a semi-persistent backdoor within the network.”
This method lets attackers avoid security measures and keep access for a long time.
ESXi’s logging structure complicates forensic investigations. Unlike traditional syslogs, ESXi organizes logs by activity, spreading critical events across multiple files, such as /var/log/shell.log, /var/log/auth.log, and /var/log/hostd.log. Sygnia emphasizes, “Configuring syslog forwarding from the ESXi server to an external syslog server can solve the issue.”
The report shows how Abyss Locker ransomware exploits ESXi appliances. Attackers exploited ESXi devices and NAS for network access, highlighting the importance of strong monitoring and defense strategies.
