ESXi Exploitation in the Wild

Source: Huntress Blog

Author: unknown

URL: https://www.huntress.com/blog/esxi-vm-escape-exploit

ONE SENTENCE SUMMARY:

A sophisticated intrusion exploited VMware ESXi vulnerabilities via SonicWall VPN, enabling VM escape and attempted hypervisor compromise.

MAIN POINTS:

1. Initial access occurred through a compromised SonicWall VPN.
2. Intrusion utilized VMware ESXi exploits with potentially zero-day vulnerabilities.
3. Attack involved lateral movements and domain controller compromise.
4. VMware VMCI and VMX processes were targeted for escape.
5. Exploit orchestrated by MAESTRO with various embedded tools.
6. VSOCK used for stealthy backdoor communication, avoiding detection.
7. PDB paths suggest Chinese-speaking developer involvement.
8. Attack demonstrated sophisticated chaining of vulnerabilities.
9. Quickly backdoor installation without long-term persistence.
10. Recommended immediate ESXi patching to defend against similar threats.

TAKEAWAYS:

1. Regularly update and patch ESXi to prevent exploitation.
2. Monitor network for unusual VSOCK activity.
3. Secure SonicWall VPN to prevent initial access.
4. Use detection tools like Yara and Sigma to identify related threats.
5. Be aware of possible sophisticated, well-resourced attacks with early access to zero-days.